Re: syn flood attacks from NL-based netblocks

[Töma Gavrichenkov <ximaera () gmail com>]

Peace,

On Sun, Aug 18, 2019 at 6:48 PM Mike <mike-nanog () tiedyenetworks com> wrote:
> [..] I do have an idea
> that may be potentially a good mitigation strategy and for the exact
> reason stated above; low load to individual end points may still, in
> aggregate, overwhelm an IX or provider, so cutting off the SYN-ACK
> traffic to those hosts which have not requested connections is good
> internet hygiene...

In theory, yes, but it's incredibly complicated to do that properly at scale.

> My idea is to maintain a penaltybox for any client IP that initiated a
> connection but did not complete, while also maintaining a whitelist of
> 'frequent fliers' who have previously completed their connections
> successful.

Unless a connection is completed, you do not know if the source IP
address of your client is spoofed or not.  (Under certain
circumstances you don't know it even then, but it is unlikely that you
would have to take such a possibiity into account).

Therefore, you should not populate anything in your RAM from such a source.

See also my short talk from RIPE 77 for more information:
- https://ripe77.ripe.net/presentations/154-ddoswww_ripe77_004.pdf
- https://ripe77.ripe.net/archives/video/2336/

Also, odds are a whitelist won't help either.

> While looking around, I came across the SYNPROXY netfilter module.

Not sure if it's still supported.  I think I've read in LKML that it
was dropped since Linux 4.4.  Anyhow, it's impossible to scale without
a complete rewrite.

--
Töma