mailing list archives
Re: Suggestion for NANOG Meeting
From: Paul A Vixie <paul () vix com>
Date: Mon, 20 Jan 1997 12:03:58 -0800
I am responding to NANOG since I think the question may be of general interest.
If I install blackhole routing like this, will I SYN bomb myself if I
get lots of incoming packets from these addresses and can't respond
No. When you install a "reject" route, it will cause your SYN-ACKs to
be sent back to your local blackhole instance, which will send an
ICMP-Unreach to your SYN-ACK source (usually a mail server), which will
abort the TCP connection. The spammers SMTP client's TCP stack will
send one or two more SYNs, and the process will repeat. The cost to
your network is very low.
If you install a "blackhole" route then you end up with half-open TCP
connections, but unless the spammer sends you a steady stream of SYNs
it will be far fewer steady-state protocol control blocks than under a
full SYN-bomb attack, which your servers must already be able to handle.
Would I be better of to filter all INCOMING packets FROM these networks
inbound to my network?
Doing that means you pay the filtering cost on all incoming packets. This
means your Cisco runs at 5% to 10% of its rated capacity and you don't get
any silicon or autonomous switching. It also means there's no way for you
to subscribe to an external real-time anti-spam service like mine -- you'd
have to install the routes by hand, which means you could not be part of a
coordinated and time-synchronized immune system.
- - - - - - - - - - - - - - - - -
Re: Suggestion for NANOG Meeting Mike Leber (Jan 20)
Re: Suggestion for NANOG Meeting Stephen Sprunk (Jan 20)
Re: Suggestion for NANOG Meeting ALAN DORN HETZEL JR (Jan 20)
Re: Suggestion for NANOG Meeting Bill Woodcock (Jan 20)
Re: Suggestion for NANOG Meeting Sean Donelan (Jan 21)
- Re: Suggestion for NANOG Meeting Paul A Vixie (Jan 20)