router syn/syn-ack/ack alarming...
Vadim Antonov
avg at quake.net
Wed Sep 18 20:32:30 UTC 1996
Guy T Almes <almes at advanced.org> wrote:
> - source address filtering and
> - syn/synack/ack ratio detection
>are *complementary* approaches, both of which have promise.
Absolutely.
> Due to asymmetric routes and other reasons, neither seems very promising
>within core routers.
There's also an issue of performance -- you don't want to burden
core routers with flitering. However, on customer access circuits
it is quite feasible.
>Syn/synack/ack ratio detection is complementary, since it
>could help detect an attack near the destination host.
I actually thought about using it at incoming traffic. I.e. not
to allow garbadge in the backbone in the first place.
On incoming traffic the disbalance may simply trigger an alarm.
> I am also a bit skeptical about the idea of automatically shutting down
>an interface upon noticing anomolies in the ratios, but that does not
>detract from the value of ratio anomoly detection as a valuable network
>management technique.
I think there's no problem with automatic cut-offs in case of obviously
invalid traffic patterns. Practically all traffic on customer access
circuits is symmetrical.
The automatic shut-off has the advantage of isolating the problem
(be it an attacker or a workstation going berserk) immediately, where
doing it manually after alarms were tripped may take several hours,
which is clearly unacceptable for most people who use Internet to do
business.
Performing statictical monitoring of input traffic by multihomed customers
may be a matter of service contract -- in the same place as requirements
to ensure sanity of routing information originated by the same customer.
--vadim
More information about the NANOG
mailing list