Re: syn flood attacks from NL-based netblocks

[Florian Brandstetter <florianb () globalone io>]

​​Load balancing is done on Layer 4 or Layer 3 when routing, so your ingress connection will have the same hash as the 
outgoing connection (unless the source port of the connection changes on the ACK - which it really should not).

On Mon, 08/19/2019 06:18 PM, Töma Gavrichenkov <ximaera () gmail com> wrote:
>

On Mon, Aug 19, 2019, 8:57 PM Valdis Klētnieks <valdis.kletnieks () vt edu> wrote:
> On Mon, 19 Aug 2019 20:44:47 +0300, Töma Gavrichenkov said:

> Not in a typical DC/ISP environment!  With the solution you propose, a
>
> perfect routing symmetry is a hard requirement, b/c you need to make
>
> sure a returning SYN/ACK hits the very same machine as the initial
>
> SYN.

>
If your load balancer isn't doing something to make that situation work properly,
>
you need to talk to your vendor.
>


If you're doing load balancing for *outgoing* traffic — and in exactly the same manner as you do with incoming — then 
maybe.

This also assumes that instead of mitigating an attack near the border you set up and keep an internal cluster of 
filtering machines somewhere and route, in the worst case scenario, *all* of your traffic through that cluster.  
Depending on the size of your network, it might or might not be an effective solution.
--
Töma
>