router syn/syn-ack/ack alarming...

Wed Sep 18 20:53:54 UTC 1996

Guy T Almes <almes at advanced.org> wrote:
>  The case for ratio-based techniques is stronger as a means for a NOC
>to detect a strange situation and investigate it than as a means to
>automatically shut down an interface.

Both uses are not exclusive.  The automatic reaction is simply
much faster than by any NOC.  I.e. the attack is stalled before
it can harm anyone.

>  Note that, given your 'opposite direction' idea, I could shut down
>service on campus 'A' by [1] logging into any host on campus 'A',
>[2] launching an attack that might not be harmful in itself but which
>would trigger the auto shutdown you advocate, and then [3] sitting
>back and watch all of campus 'A' get shut down with the presumptive
>blame focused on them.

That will give them an incentive to improve security on their
hosts.  It is very much like leaving your car with keys in ignition lock
in a dark corner of N.Y.  Chances are good that it'll be stolen and
used to commit a crime, and that you'll have to spend quite a lot
of time sorting things out.  It does not mean that the police shouldn't
stop getaway cars.

In my opinion, people whose carelessness is instrumental to crime
should be at least inconvinienced.  Otherwise they will unwittingly
assist criminals until the hell freezes over.

>  It's still a denial of service attack.  The problem is not with
>detecting the ratio imbalance, but with simple deterministic response
>to it.  That determinism could be used by an attacker.

The scenario you provided moves the burden of being responsible from
the target (who may have did everything they could to secure their
network) to whomever happened to be a lazy s.o.b. of sysadmin.

Right now there's nearly zero penalty for being irresponsible,
particularly if you're a big U.  I know sysadmins of really big and
prestigeous U. who made a conscise choice of being totally irresponsible --
to the point of actually leaving totally unprotected machine on their
LAN to steer hackers off their other hosts.  I bet being shut a couple
of times would very quickly change that :)

>In sum, I like the idea of detecting the problem and rapidly tracing
>it, but I'm skeptical about a totally automated response to it given
>our current low level of experience with it.

We can borrow experience from utilities which employ automatic
shut-offs of every possible kind for years.  Yes, they do create
problems; but on overall balance it appears to be a very robust
approach to preservation of the whole system's integrity.

I really like the idea of the network being able to defend itself
without dragging engineers out of beds in the middle of the night :)
That will certainly remove a lot of incentive for hacker wannabes
who appear to have only one goal in their lives -- to make life
of operators miserable.

--vadim