New Denial of Service Attack on Panix

• Previous message (by thread): New Denial of Service Attack on Panix
• Next message (by thread): New Denial of Service Attack on Panix
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Maybe I'm missing something here, but wouldn't these Denial of Service 
attacks cause a severe mismatch in the numbers of SYNs and SYN-ACKs on a 
given router interface?

If so, then couldn't we just sweet-talk cisco into providing 5 minute 
counts of syns and syn-acks on an interface?  You know something like:

  5 minute SYNS: 123423   5 minute SYN-ACKS: 50000

Then, if the ratio got too high, it can start yelping about "Potential SYN 
D-O-S Atttack in progress on Interface Serial 1"

In this manner "good" isp's wouldn't unknowingly carry these attacks.  I 
envision this being done on the somewhat bigger isp's where putting 
inbound filters on their customer interfaces would be not a good idea 
(Sprint, MCI, Net 99, etc.).  If the feature was enabled by default, some 
smaller ISPs would probably notice it--if they are watching their cisco 
logs at all.

Personally, I know that these attacks aren't going to originate at our 
site, as I have the filters on.   However, I am quite concerned about 
getting hit with one...

-forrestc at imach.com

• Previous message (by thread): New Denial of Service Attack on Panix
• Next message (by thread): New Denial of Service Attack on Panix
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]