[4591] in North American Network Operators' Group
Re: router syn/syn-ack/ack alarming...
daemon@ATHENA.MIT.EDU (Michael Dillon)
Wed Sep 18 19:16:03 1996
Date: Wed, 18 Sep 1996 16:01:41 -0700 (PDT)
From: Michael Dillon <michael@memra.com>
To: nanog@merit.edu
In-Reply-To: <199609181812.LAA13434@daffy.ee.lbl.gov>
On Wed, 18 Sep 1996, Vern Paxson wrote:
> > have something in their logs like SYN/ACK RATIO 33:1 POSSIBLE HACKER
> > ATTACK which will make them sit up and take notice.
>
> I don't see how in reality to make the syn/syn-ack/ack ratio work soundly.
> It seems too easy for the cracker to synthesize bogus syn-ack's or ack's to
> manipulate the ratio however they please.
Wouldn't the ratio be calculated from outgoing SYN's and incoming ACK's?
I can see that a sophisticated attacker could have a machine on another
network sending incoming ACK's to balance the outgoing SYN's but I suspect
this would be an extremely small percentage of attacks.
Michael Dillon - ISP & Internet Consulting
Memra Software Inc. - Fax: +1-604-546-3049
http://www.memra.com - E-mail: michael@memra.com
