[4603] in North American Network Operators' Group
Re: router syn/syn-ack/ack alarming...
daemon@ATHENA.MIT.EDU (Curtis Villamizar)
Wed Sep 18 21:10:31 1996
To: Vadim Antonov <avg@quake.net>
cc: michael@memra.com, nanog@merit.edu
Reply-To: curtis@ans.net
In-reply-to: Your message of "Wed, 18 Sep 1996 13:57:52 PDT."
<199609182057.NAA00879@quest.quake.net>
Date: Wed, 18 Sep 1996 20:58:57 -0400
From: Curtis Villamizar <curtis@ans.net>
In message <199609182057.NAA00879@quest.quake.net>, Vadim Antonov writes:
> Michael Dillon <michael@memra.com> wrote:
>
> >This ratio detection
> >doesn't need to shutdown anything, just syslog the fact so that admins
> >have something in their logs like SYN/ACK RATIO 33:1 POSSIBLE HACKER
> >ATTACK which will make them sit up and take notice.
>
> Ah, you're an optimist.
>
> Most sysadmins would simply ignore whatever warnings they get as
> long as their internal users aren't complaining.
>
> And half of them wouldn't know what SYN/ACK ratio is.
>
> --vadim
As long as the attacks were logged another provider (like their
upstream provider for example) can come along and say "we traced the
attack to your network, what sort of traps were logged". If they are
totally clueless they can at least set up the traps and traplogs
(possibly with some help) at that point and get the next attack.
Curtis
