router syn/syn-ack/ack alarming...
Vern Paxson
vern at ee.lbl.gov
Wed Sep 18 18:12:05 UTC 1996
> have something in their logs like SYN/ACK RATIO 33:1 POSSIBLE HACKER
> ATTACK which will make them sit up and take notice.
I don't see how in reality to make the syn/syn-ack/ack ratio work soundly.
It seems too easy for the cracker to synthesize bogus syn-ack's or ack's to
manipulate the ratio however they please. The bookkeeping to tell a true
syn-ack or ack-syn-ack from a bogus one entails keeping around connection
state, and suddenly the cheap ratio gets expensive.
Vern
More information about the NANOG
mailing list