New Denial of Service Attack on Panix

Wed Sep 18 14:43:31 UTC 1996

is there that much asymmetry in the very leaves of the network?
i live in the asymmetry at the middle of the network but of the 
folks who are multihomed customers of NSP's, is it that case that
asymmetry prevails in single streams of communication?  don't most 
multihomed customers of NSP's engineer a preferred transit?

if i'm multihomed to two providers i've already done something to
balance my traffic and to make sure that i have fail-over.  i accept
x routes on connection 1 and y routes on connection 2. outgoing, i might pad
my AS on connection 2 and point default on connection 1.  i might point
a higher metric default out connection 2, or perhaps i'm defaultless
and tag routes as i hear them based on my own policy.  there are
a million ways to do it, but because of the way it's been done usually
i wonder if there are that many cases of asymmetry at the edge.

i guess the one common thread of this discussion is that whatever
must be done, must be done on the edges of the internet.  and that's
not a cop out, we have as many edge cases as we have connections to
isp's.

Jeff Young
young at mci.net

> Return-Path: owner-nanog at merit.edu 
> Received: from merit.edu (merit.edu [35.1.1.42]) by postoffice.Reston.mci.net (8.7.5/8.7.3) with ESMTP id IAA23210; Wed, 18 Sep 1996 08:09:00 -0400 (EDT)
> Received: from localhost (daemon at localhost) by merit.edu (8.7.5/merit-2.0) with SMTP id HAA10629; Wed, 18 Sep 1996 07:58:10 -0400 (EDT)
> Received: by merit.edu (bulk_mailer v1.5); Wed, 18 Sep 1996 07:52:40 -0400
> Received: (from daemon at localhost) by merit.edu (8.7.5/merit-2.0) id HAA10473 for nanog-outgoing; Wed, 18 Sep 1996 07:52:39 -0400 (EDT)
> Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by merit.edu (8.7.5/merit-2.0) with SMTP id HAA10458 for <nanog at merit.edu>; Wed, 18 Sep 1996 07:52:35 -0400 (EDT)
> Received: from pferguso-pc.cisco.com (c1robo7.cisco.com [171.68.13.7]) by diablo.cisco.com (8.6.12/CISCO.SERVER.1.1) with SMTP id EAA00468; Wed, 18 Sep 1996 04:51:57 -0700
> Message-Id: <2.2.32.19960918115156.0069a490 at lint.cisco.com>
> X-Sender: pferguso at lint.cisco.com (Unverified)
> X-Mailer: Windows Eudora Pro Version 2.2 (32)
> Mime-Version: 1.0
> Date: Wed, 18 Sep 1996 07:51:56 -0400
> To: Vadim Antonov <avg at quake.net>
> From: Paul Ferguson <pferguso at cisco.com>
> Subject: Re: New Denial of Service Attack on Panix
> Cc: nanog at merit.edu, iepg at iepg.org
> Sender: owner-nanog at merit.edu
> Content-Type: text/plain; charset="us-ascii"
> Content-Length: 883
> 
> I'm wondering if this is not quite the panacea that it appears. More
> thought is certainly required here... asymmetry being a problem that
> leaps to mind.
> 
> - paul
> 
> At 01:02 PM 9/17/96 -0700, Vadim Antonov wrote:
> 
> >This is the excellent idea!  Actually, router vendors may simply
> >add a feature which shuts down the interface if SYN/SYN-ACK balance
> >is too bad -- thus disconnecting the hacker-to-be.
> >
> >Of course, that balance may be decaying with time, so repeated
> >unsuccessful attempts to connect won't trigger alarms.
> >
> >--vadim
> >
> >Forrest W. Christian <forrestc at iMach.com> wrote:
> >
> >Maybe I'm missing something here, but wouldn't these Denial of Service 
> >attacks cause a severe mismatch in the numbers of SYNs and SYN-ACKs on a 
> >given router interface?
> >
> >If so, then couldn't we just sweet-talk cisco into providing 5 minute 
> >counts of syns and syn-acks on an interface?
> >
> >
> 