alt Hacker NewsI am having fun playing with the slow syn flood of spoofed packets someone is sending. I appreciate them sending it. I like the variability in the TCP MSS, TTL, Window sizes they are sending.
Thus far I am letting some leak through it would seem.
100 SYN received in 15.03 seconds
100 SYN-ACK returned in 3 minutes and 22.03 seconds.
Eventually ran out of things to play with. Actions taken:
- Blackhole routed a few ASN's / data-centers. It's all spoofed packets but good to block data-centers regardless so we are not sending them syn-ack (good hygiene).
- Added a temporary rule when we encounter a syn-flood. [1]
End result: Input 20 packets in 17 seconds, Output syn-ack reply 20 packets in 4 minutes and 44 seconds. That should translate to an acceptable amount of syn-ack if we were actually attacked some day.
Impact: Before, we sent more syn-ack then I would have liked but there was overall no impact to Nginx as we use the "deferred" socket option [2]. Now we send far fewer syn-ack packets for good internet hygiene. Thank-you to the person using the syn flood tool.
[1] - https://mirror.newsdump.org/nftables.txt
[2] - https://mirror.newsdump.org/nginx/http.d/11_bad_sni.conf.txt