Hi all,
We recently got under a low traffic botnet DDoS attack. All attacker
nodes opened a single tcp session (just SYN part) and then did nothing.
This rules out rate limiting solutions and syncookie doesn't help
either. (Thousands of attacking nodes).
I'd like to know you thoughts about two possible approaches in solving
this:
- syn proxy: already used for example by Cisco. The router handles the
first part of the connection and only routes packets to the client if
the connection seems good. (Good against single/spoofed incoming SYNs
but may be used to wait for the first packet with actual data as well).
- Implement a conntrack solution that gives a timestamp to the
connection. Then this timestamp could be used to drop the connection if
no data arrives within a configured time limit (good for open inactive
connections only). Of course appropriate close toward the local client
has to be done as well.
What's your opinion?
Bye
Bgs
