New Denial of Service Attack on Panix

"Forrest W. Christian" writes:

Maybe I'm missing something here, but wouldn't these Denial of Service
attacks cause a severe mismatch in the numbers of SYNs and SYN-ACKs on a
given router interface?


Then, if the ratio got too high, it can start yelping about "Potential SYN
D-O-S Atttack in progress on Interface Serial 1"

In this manner "good" isp's wouldn't unknowingly carry these attacks.

I think it is easier to just block the attacks completely by source
filtering your own network, at which point you can't carry such an
attack, knowingly or unknowingly.

I envision this being done on the somewhat bigger isp's where
putting inbound filters on their customer interfaces would be not a
good idea (Sprint, MCI, Net 99, etc.).

What you propose is actually much harder to build than filters are.

Personally, I know that these attacks aren't going to originate at our
site, as I have the filters on. However, I am quite concerned about
getting hit with one...

Please help, then, in convincing people that it is important to turn
on filtering on all leaf networks.