Re: Suggestion for NANOG Meeting

[Paul A Vixie <paul () vix com>]

I am responding to NANOG since I think the question may be of general interest.

> If I install blackhole routing like this, will I SYN bomb myself if I
> get lots of incoming packets from these addresses and can't respond 
> to them?

No.  When you install a "reject" route, it will cause your SYN-ACKs to
be sent back to your local blackhole instance, which will send an
ICMP-Unreach to your SYN-ACK source (usually a mail server), which will
abort the TCP connection.  The spammers SMTP client's TCP stack will
send one or two more SYNs, and the process will repeat.  The cost to
your network is very low.

If you install a "blackhole" route then you end up with half-open TCP
connections, but unless the spammer sends you a steady stream of SYNs
it will be far fewer steady-state protocol control blocks than under a
full SYN-bomb attack, which your servers must already be able to handle.

> Would I be better of to filter all INCOMING packets FROM these networks
> inbound to my network?

Doing that means you pay the filtering cost on all incoming packets.  This
means your Cisco runs at 5% to 10% of its rated capacity and you don't get
any silicon or autonomous switching.  It also means there's no way for you
to subscribe to an external real-time anti-spam service like mine -- you'd
have to install the routes by hand, which means you could not be part of a
coordinated and time-synchronized immune system.
- - - - - - - - - - - - - - - - -