Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Suggestion for NANOG Meeting

  • From: Paul A Vixie
  • Date: Mon Jan 20 15:02:22 1997

I am responding to NANOG since I think the question may be of general interest.

> If I install blackhole routing like this, will I SYN bomb myself if I
> get lots of incoming packets from these addresses and can't respond 
> to them?

No.  When you install a "reject" route, it will cause your SYN-ACKs to
be sent back to your local blackhole instance, which will send an
ICMP-Unreach to your SYN-ACK source (usually a mail server), which will
abort the TCP connection.  The spammers SMTP client's TCP stack will
send one or two more SYNs, and the process will repeat.  The cost to
your network is very low.

If you install a "blackhole" route then you end up with half-open TCP
connections, but unless the spammer sends you a steady stream of SYNs
it will be far fewer steady-state protocol control blocks than under a
full SYN-bomb attack, which your servers must already be able to handle.

> Would I be better of to filter all INCOMING packets FROM these networks
> inbound to my network?

Doing that means you pay the filtering cost on all incoming packets.  This
means your Cisco runs at 5% to 10% of its rated capacity and you don't get
any silicon or autonomous switching.  It also means there's no way for you
to subscribe to an external real-time anti-spam service like mine -- you'd
have to install the routes by hand, which means you could not be part of a
coordinated and time-synchronized immune system.
- - - - - - - - - - - - - - - - -

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.