have something in their logs like SYN/ACK RATIO 33:1 POSSIBLE HACKER
ATTACK which will make them sit up and take notice.
I don't see how in reality to make the syn/syn-ack/ack ratio work soundly.
It seems too easy for the cracker to synthesize bogus syn-ack's or ack's to
manipulate the ratio however they please. The bookkeeping to tell a true
syn-ack or ack-syn-ack from a bogus one entails keeping around connection
state, and suddenly the cheap ratio gets expensive.
Vern
Wouldn't the ratio be calculated from outgoing SYN's and incoming ACK's?
I can see that a sophisticated attacker could have a machine on another
network sending incoming ACK's to balance the outgoing SYN's but I suspect
this would be an extremely small percentage of attacks.
Michael Dillon - ISP & Internet Consulting
Memra Software Inc. - Fax: +1-604-546-3049
http://www.memra.com - E-mail: michael@memra.com
Ooops. I meant incoming SYN-ACK's with the emphasis on a ratio between
outgoing and incoming.
Michael Dillon - ISP & Internet Consulting
Memra Software Inc. - Fax: +1-604-546-3049
http://www.memra.com - E-mail: michael@memra.com