North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: router syn/syn-ack/ack alarming...
Vadim, The case for ratio-based techniques is stronger as a means for a NOC to detect a strange situation and investigate it than as a means to automatically shut down an interface. Note that, given your 'opposite direction' idea, I could shut down service on campus 'A' by  logging into any host on campus 'A',  launching an attack that might not be harmful in itself but which would trigger the auto shutdown you advocate, and then  sitting back and watch all of campus 'A' get shut down with the presumptive blame focused on them. It's still a denial of service attack. The problem is not with detecting the ratio imbalance, but with simple deterministic response to it. That determinism could be used by an attacker. In sum, I like the idea of detecting the problem and rapidly tracing it, but I'm skeptical about a totally automated response to it given our current low level of experience with it. -- Guy At 05:58 PM 9/17/96 -0700, you wrote: >Regis Donovan <firstname.lastname@example.org> wrote: > >>um... maybe i'm missing the clue here, but if the router vendors add >>something that shuts down an interface if the SYN/SYN-ACK/ACK ratio >>becomes too bad make it *easier* for me if i'm doing a denial of service >>attack on a host? > >No, you took the "anti-SYN" shut-off in opposite direction. > >ISPs could install the asymmetry shut-off (why stop at SYNs / SYN-ACK pairs?) >enforcing rough balance of SYNs coming from customer and SYN-ACKs coming >back to customer. If the traffic is legitimate, the balance will hold. >Any attempt to flood by that customer (intentional, or unintentional, by >a broken software) will cause massive disbalance. > >The equivalent filter on victim's side won't see those SYNs and SYN-ACKs, >simply because thet are going in opposite direction. > >>instead of denying service to a given host, all i have to do is drive >>the router into alarm mode so it shuts off the interface and then i get >>to deny service to an entire segment and everything downstream from that >>segment... > >Yes, the defense may be multi-staged. I.e. if a local ISP does >not enable anti-flooding defenses on its own customer links, it'll risk >backbone ISP shutting its entire operation. > >BTW, telcos use the statistical traffic analysis (bit-density monitors >is the most trivial example) to isolate troubles for years. > >--vadim > - - - - - - - - - - - - - - - - -