Peace, On Sun, Aug 18, 2019 at 6:48 PM Mike <mike-nanog@tiedyenetworks.com> wrote:
[..] I do have an idea that may be potentially a good mitigation strategy and for the exact reason stated above; low load to individual end points may still, in aggregate, overwhelm an IX or provider, so cutting off the SYN-ACK traffic to those hosts which have not requested connections is good internet hygiene...
In theory, yes, but it's incredibly complicated to do that properly at scale.
My idea is to maintain a penaltybox for any client IP that initiated a connection but did not complete, while also maintaining a whitelist of 'frequent fliers' who have previously completed their connections successful.
Unless a connection is completed, you do not know if the source IP address of your client is spoofed or not. (Under certain circumstances you don't know it even then, but it is unlikely that you would have to take such a possibiity into account). Therefore, you should not populate anything in your RAM from such a source. See also my short talk from RIPE 77 for more information: - https://ripe77.ripe.net/presentations/154-ddoswww_ripe77_004.pdf - https://ripe77.ripe.net/archives/video/2336/ Also, odds are a whitelist won't help either.
While looking around, I came across the SYNPROXY netfilter module.
Not sure if it's still supported. I think I've read in LKML that it was dropped since Linux 4.4. Anyhow, it's impossible to scale without a complete rewrite. -- Töma