syn flood attacks from NL-based netblocks

• Previous message (by thread): syn flood attacks from NL-based netblocks
• Next message (by thread): syn flood attacks from NL-based netblocks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Aug 19, 2019 at 4:15 AM Töma Gavrichenkov <ximaera at gmail.com> wrote:

> Dealing with TCP flags is a different story:
>

I agree these attacks can be large: the one under discussion probably
exceeded 10Mpps (Gbps is the wrong metric for small-packet attacks)
I agree they can cause significant outages: this style of attack played a
role in the Liberia outages in 2016
My main disagreement is whether small amplification factors are
noteworthy.  A factor of 2 is "rounding error" and we probably shouldn't
waste our time on it (eg, by designing solutions to reduce amplification
factors) when we could instead be targeting the sources of spoofed traffic.

I was highlighting this as a DDoS (rather than a port scan) mainly to raise
awareness.  This is definitely an interesting form of attack, largely for
the reasons you state (it's subtle to detect and therefore harder to
mitigate).  But this particular "carpet-bombing" attack isn't likely to be
mitigated at the network layer anyway... the load is distributed across
thousands of machines which can each trivially handle the state.  It's more
a question of bandwidth to the provider... and if you're targeting the
provider's bandwidth you'd do better to use traditional UDP amplification.

Damian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190819/cb7d208e/attachment.html>

• Previous message (by thread): syn flood attacks from NL-based netblocks
• Next message (by thread): syn flood attacks from NL-based netblocks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]