Re: syn flood attacks from NL-based netblocks

["Jakob Heitz \(jheitz\) via NANOG" <nanog () nanog org>]

The source address in the SYN is spoofed. What if the real owner of the source address wanted to connect to you? Then 
your penaltybox would block him. An attacker could now use your penaltybox to cause a DoS to the real owner of the IP 
address.

> Date: Sun, 18 Aug 2019 08:48:08 -0700
> From: Mike <mike-nanog () tiedyenetworks com>
>
> My idea is to maintain a penaltybox for any client IP that initiated a
> connection but did not complete, while also maintaining a whitelist of
> 'frequent fliers' who have previously completed their connections
> successful. The penalty could simply be to drop traffic sourced from
> those client ips that do not complete the handshake, for some
> configurable timeout period. The whitelisting feature could give a pass
> to good clients and allow these to bypass the penalty filtering, for a
> longer timeout period (but of course, passing it along so other ACL's
> can take effect). I'd say, perhaps, a 5 minute timeout would be
> sufficient for a penalty, while 1 day or longer would be sufficient for
> whitelisting. It would depend on your traffic of course, and definitely
> you would want something efficient such as linux ipset as opposed to
> individual iptables rules.
>
> While looking around, I came across the SYNPROXY netfilter module.. it
> appears to be very complete but missing the above functionality to avoid
> responding to spoofed clients. I'm going to see about hacking up a proof
> of concept. I'll post here if I come up with something to play with.
>
> Mike-