The source address in the SYN is spoofed. What if the real owner of the source address wanted to connect to you? Then your penaltybox would block him. An attacker could now use your penaltybox to cause a DoS to the real owner of the IP address.

Date: Sun, 18 Aug 2019 08:48:08 -0700 From: Mike <mike-nanog@tiedyenetworks.com>

My idea is to maintain a penaltybox for any client IP that initiated a connection but did not complete, while also maintaining a whitelist of 'frequent fliers' who have previously completed their connections successful. The penalty could simply be to drop traffic sourced from those client ips that do not complete the handshake, for some configurable timeout period. The whitelisting feature could give a pass to good clients and allow these to bypass the penalty filtering, for a longer timeout period (but of course, passing it along so other ACL's can take effect). I'd say, perhaps, a 5 minute timeout would be sufficient for a penalty, while 1 day or longer would be sufficient for whitelisting. It would depend on your traffic of course, and definitely you would want something efficient such as linux ipset as opposed to individual iptables rules.

While looking around, I came across the SYNPROXY netfilter module.. it appears to be very complete but missing the above functionality to avoid responding to spoofed clients. I'm going to see about hacking up a proof of concept. I'll post here if I come up with something to play with.

Mike-