Re: syn flood attacks from NL-based netblocks

[Töma Gavrichenkov <ximaera () gmail com>]

On Mon, Aug 19, 2019 at 8:12 PM Damian Menscher <damian () google com> wrote:
> A factor of 2 is "rounding error" and we probably shouldn't
> waste our time on it (eg, by designing solutions to reduce
> amplification factors) when we could instead be targeting
> the sources of spoofed traffic.

Ah, fine.  Spoofing is obviously the root cause here.
I was mostly addressing the statement that factors of 2 to 5 aren't
"particularly interesting for attackers or defenders". In my
experience they certainly are.

> this particular "carpet-bombing" attack isn't likely to be
> mitigated at the network layer anyway... the load is
> distributed across thousands of machines which can
> each trivially handle the state.

Not in a typical DC/ISP environment!  With the solution you propose, a
perfect routing symmetry is a hard requirement, b/c you need to make
sure a returning SYN/ACK hits the very same machine as the initial
SYN.  As long as you expect a DDoS to be handled somewhere close to
the border of your network, this is hardly achievable for a network
growing in size.

--
Töma