router syn/syn-ack/ack alarming...

• Previous message (by thread): router syn/syn-ack/ack alarming...
• Next message (by thread): router syn/syn-ack/ack alarming...
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 18 Sep 1996, Vadim Antonov wrote:

> >This ratio detection
> >doesn't need to shutdown anything, just syslog the fact so that admins
> >have something in their logs like SYN/ACK RATIO 33:1 POSSIBLE HACKER
> >ATTACK which will make them sit up and take notice.

> Ah, you're an optimist.

*smile*

> Most sysadmins would simply ignore whatever warnings they get as
> long as their internal users aren't complaining.
> 
> And half of them wouldn't know what SYN/ACK ratio is.

That's why the word "HACKER" has to be in the message. Over time we can
get the word out that if you are having wierd problems you should make
sure your router is pointed to a syslog host and then try

grep HACKER /var/log/*

Besides, some admins do browse through logs from time to time. I can't
count how many times the Linuxisp mailing list has seen the question:
  
   I was looking through my logs and I see these messages
   about named and recvfrom failed...

This is a rather innocuous problem caused by running an old beta version
of BIND and doesn't generally cause any other symptoms. Maybe more people
read logs than you think....

Michael Dillon                   -               ISP & Internet Consulting
Memra Software Inc.              -                  Fax: +1-604-546-3049
http://www.memra.com             -               E-mail: michael at memra.com

• Previous message (by thread): router syn/syn-ack/ack alarming...
• Next message (by thread): router syn/syn-ack/ack alarming...
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]