Re: Suggestion for NANOG Meeting
Paul, If I install blackhole routing like this, will I SYN bomb myself if I get lots of incoming packets from these addresses and can't respond to them? Would I be better of to filter all INCOMING packets FROM these networks inbound to my network? -Dorn
I am responding to NANOG since I think the question may be of general interest.
If I install blackhole routing like this, will I SYN bomb myself if I get lots of incoming packets from these addresses and can't respond to them?
No. When you install a "reject" route, it will cause your SYN-ACKs to be sent back to your local blackhole instance, which will send an ICMP-Unreach to your SYN-ACK source (usually a mail server), which will abort the TCP connection. The spammers SMTP client's TCP stack will send one or two more SYNs, and the process will repeat. The cost to your network is very low. If you install a "blackhole" route then you end up with half-open TCP connections, but unless the spammer sends you a steady stream of SYNs it will be far fewer steady-state protocol control blocks than under a full SYN-bomb attack, which your servers must already be able to handle.
Would I be better of to filter all INCOMING packets FROM these networks inbound to my network?
Doing that means you pay the filtering cost on all incoming packets. This means your Cisco runs at 5% to 10% of its rated capacity and you don't get any silicon or autonomous switching. It also means there's no way for you to subscribe to an external real-time anti-spam service like mine -- you'd have to install the routes by hand, which means you could not be part of a coordinated and time-synchronized immune system.
participants (2)
-
ALAN DORN HETZEL JR
-
Paul A Vixie