alt Hacker NewsEventually ran out of things to play with. Actions taken:
- Blackhole routed a few ASN's / data-centers. It's all spoofed packets but good to block data-centers regardless so we are not sending them syn-ack (good hygiene).
- Added a temporary rule when we encounter a syn-flood. [1]
End result: Input 20 packets in 17 seconds, Output syn-ack reply 20 packets in 4 minutes and 44 seconds. That should translate to an acceptable amount of syn-ack if we were actually attacked some day.
Impact: Before, we sent more syn-ack then I would have liked but there was overall no impact to Nginx as we use the "deferred" socket option [2]. Now we send far fewer syn-ack packets for good internet hygiene. Thank-you to the person using the syn flood tool.
[1] - https://mirror.newsdump.org/nftables.txt
[2] - https://mirror.newsdump.org/nginx/http.d/11_bad_sni.conf.txt
On a funny side note, it seems that after blocking ASN's I ended up finding by coincidence this list of ASN's that are related in some way to StormWall [1]. Curious what that means. Perhaps they were trying to get me to add myself to a BGP GRE DDoS scrubbing list with the syn-ack packets. Well played if so! :-D
[1] - https://bgp.tools/as-set/RIPE::as-stormwall-set#reverse