Home page logo
/

nanog logo nanog mailing list archives

Re: Suggestion for NANOG Meeting
From: Paul A Vixie <paul () vix com>
Date: Mon, 20 Jan 1997 12:03:58 -0800

I am responding to NANOG since I think the question may be of general interest.

If I install blackhole routing like this, will I SYN bomb myself if I
get lots of incoming packets from these addresses and can't respond 
to them?

No.  When you install a "reject" route, it will cause your SYN-ACKs to
be sent back to your local blackhole instance, which will send an
ICMP-Unreach to your SYN-ACK source (usually a mail server), which will
abort the TCP connection.  The spammers SMTP client's TCP stack will
send one or two more SYNs, and the process will repeat.  The cost to
your network is very low.

If you install a "blackhole" route then you end up with half-open TCP
connections, but unless the spammer sends you a steady stream of SYNs
it will be far fewer steady-state protocol control blocks than under a
full SYN-bomb attack, which your servers must already be able to handle.

Would I be better of to filter all INCOMING packets FROM these networks
inbound to my network?

Doing that means you pay the filtering cost on all incoming packets.  This
means your Cisco runs at 5% to 10% of its rated capacity and you don't get
any silicon or autonomous switching.  It also means there's no way for you
to subscribe to an external real-time anti-spam service like mine -- you'd
have to install the routes by hand, which means you could not be part of a
coordinated and time-synchronized immune system.
- - - - - - - - - - - - - - - - -


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault