nanog mailing list archives
Re: syn flood attacks from NL-based netblocks
From: Töma Gavrichenkov <ximaera () gmail com>
Date: Mon, 19 Aug 2019 14:14:54 +0300
Peace, On Mon, Aug 19, 2019 at 7:39 AM Damian Menscher via NANOG <nanog () nanog org> wrote:
Most kernels will return 3-5 SYN-ACK packets for an incoming SYN, so it's not particularly interesting for attackers or defenders.
Well, producing 1000 Gbps as opposed to 200 Gbps is still pretty impressive, isn't it? More on that later, b/c the point here aren't even jiggabits,
it's somewhat pointless to worry about a small amplification factor -- an attacker could [..] use UDP to get a massive bandwidth (or even significant packet) amplification.
Most of the resources hosted by a typical hosting company are essentially Web sites.[citation needed] Unless you are really really dependant on QUIC (and, unless we're all really unlucky and recent initiatives to get rid of TCP/TLS fallback in HTTP/3 would gain support), as a Web hosting company, you can use whatever you want to get rid of UDP completely very quickly, and that won't harm your business a lot. Dealing with TCP flags is a different story: - Your ability to handle them with the likes of RFC 5575 depend on what particular sort of equipment is deployed in your network; - To make matters worse, for a huge portion of customers the ability to connect to an external service/API gateway/Web site via TCP is crucial. A simple example is Google which cannot survive for long if Googlebot keeps being unable to operate. Think also OAuth, Skyscanner, credit scoring systems, insurance companies, etc.; - To ensure proper handling of spoofed SYN/ACKs while still maintaining a possibility to connect to an external service you, as a hosting company under an attack, would have to track all of the outgoing SYNs to match them against received SYN/ACKs later. This is where the "1kGbps-vs-200Gbps" argument becomes important, b/c every existing free connection state tracking solution doesn't scale beyond 200 Gbps at best given the best hardware money can buy given a single machine, and no existing solution is able to share its state across multiple machines. [there are proprietary products doing that though, we have one, but proprietary solutions are always a different kind of story] -- Töma
Current thread:
- Re: syn flood attacks from NL-based netblocks, (continued)
- Re: syn flood attacks from NL-based netblocks Damian Menscher via NANOG (Aug 17)
- Re: syn flood attacks from NL-based netblocks Amir Herzberg (Aug 17)
- Re: syn flood attacks from NL-based netblocks Damian Menscher via NANOG (Aug 17)
- Re: syn flood attacks from NL-based netblocks Amir Herzberg (Aug 17)
- Re: syn flood attacks from NL-based netblocks Amir Herzberg (Aug 17)
- Re: syn flood attacks from NL-based netblocks Jim Shankland (Aug 17)
- Re: syn flood attacks from NL-based netblocks Damian Menscher via NANOG (Aug 17)
- Re: syn flood attacks from NL-based netblocks Mike (Aug 17)
- Re: syn flood attacks from NL-based netblocks Amir Herzberg (Aug 18)
- Re: syn flood attacks from NL-based netblocks Mike (Aug 18)
- Re: syn flood attacks from NL-based netblocks Töma Gavrichenkov (Aug 19)
- Re: syn flood attacks from NL-based netblocks Damian Menscher via NANOG (Aug 18)
- Re: syn flood attacks from NL-based netblocks Töma Gavrichenkov (Aug 19)
- Re: syn flood attacks from NL-based netblocks Damian Menscher via NANOG (Aug 19)
- Re: syn flood attacks from NL-based netblocks Töma Gavrichenkov (Aug 19)
- Re: syn flood attacks from NL-based netblocks Valdis Klētnieks (Aug 19)
- Re: syn flood attacks from NL-based netblocks Töma Gavrichenkov (Aug 19)
- Re: syn flood attacks from NL-based netblocks Valdis Klētnieks (Aug 19)
- Re: syn flood attacks from NL-based netblocks Töma Gavrichenkov (Aug 19)
- Re: syn flood attacks from NL-based netblocks Amir Herzberg (Aug 18)
- Message not available
- Re: syn flood attacks from NL-based netblocks Töma Gavrichenkov (Aug 19)
- Re: syn flood attacks from NL-based netblocks Florian Brandstetter (Aug 20)