router syn/syn-ack/ack alarming...

       - source address filtering and
       - syn/synack/ack ratio detection
are *complementary* approaches, both of which have promise.


Due to asymmetric routes and other reasons, neither seems very promising
within core routers.

There's also an issue of performance -- you don't want to burden
core routers with flitering. However, on customer access circuits
it is quite feasible.

Syn/synack/ack ratio detection is complementary, since it
could help detect an attack near the destination host.

I actually thought about using it at incoming traffic. I.e. not
to allow garbadge in the backbone in the first place.

On incoming traffic the disbalance may simply trigger an alarm.

I am also a bit skeptical about the idea of automatically shutting down
an interface upon noticing anomolies in the ratios, but that does not
detract from the value of ratio anomoly detection as a valuable network
management technique.

I think there's no problem with automatic cut-offs in case of obviously
invalid traffic patterns. Practically all traffic on customer access
circuits is symmetrical.

The automatic shut-off has the advantage of isolating the problem
(be it an attacker or a workstation going berserk) immediately, where
doing it manually after alarms were tripped may take several hours,
which is clearly unacceptable for most people who use Internet to do

Performing statictical monitoring of input traffic by multihomed customers
may be a matter of service contract -- in the same place as requirements
to ensure sanity of routing information originated by the same customer.