Alex,
I agree with much of your analysis, but would argue that the two
techniques of:
- source address filtering and
- syn/synack/ack ratio detection
are *complementary* approaches, both of which have promise.
Due to asymmetric routes and other reasons, neither seems very promising
within core routers. Source address filtering, however, should become
standard practice near the edge of the net and help control attacks near
the source host. Syn/synack/ack ratio detection is complementary, since it
could help detect an attack near the destination host.
I am also a bit skeptical about the idea of automatically shutting down
an interface upon noticing anomolies in the ratios, but that does not
detract from the value of ratio anomoly detection as a valuable network
management technique.
-- Guy
It could also help detect an attack near the source host which would help
*GREATLY* in tracing the perpetrator of the attacks. This ratio detection
doesn't need to shutdown anything, just syslog the fact so that admins
have something in their logs like SYN/ACK RATIO 33:1 POSSIBLE HACKER
ATTACK which will make them sit up and take notice.
Michael Dillon - ISP & Internet Consulting
Memra Software Inc. - Fax: +1-604-546-3049
http://www.memra.com - E-mail: michael@memra.com