[4598] in North American Network Operators' Group
Re: router syn/syn-ack/ack alarming...
daemon@ATHENA.MIT.EDU (Larry J. Plato)
Wed Sep 18 19:38:25 1996
From: "Larry J. Plato" <ljp@ans.net>
To: michael@memra.com (Michael Dillon)
Date: Wed, 18 Sep 1996 23:32:56 +0000 (GMT)
Cc: nanog@merit.edu
In-Reply-To: <Pine.BSI.3.93.960918155911.1925A-100000@sidhe.memra.com> from "Michael Dillon" at Sep 18, 96 04:01:41 pm
>
> On Wed, 18 Sep 1996, Vern Paxson wrote:
>
> > > have something in their logs like SYN/ACK RATIO 33:1 POSSIBLE HACKER
> > > ATTACK which will make them sit up and take notice.
> >
> > I don't see how in reality to make the syn/syn-ack/ack ratio work soundly.
> > It seems too easy for the cracker to synthesize bogus syn-ack's or ack's to
> > manipulate the ratio however they please.
>
> Wouldn't the ratio be calculated from outgoing SYN's and incoming ACK's?
> I can see that a sophisticated attacker could have a machine on another
> network sending incoming ACK's to balance the outgoing SYN's but I suspect
> this would be an extremely small percentage of attacks.
>
Until someone implements this as a feature, then 2600 will post the code
to a program that sends SYNs followed by ACKs a minute later. The damage
would be done by then, but the stats would show balanced flows.
Larry Plato
