For the past few months I've been slowly building up a list of Brazilian networks to block, and if the theory of why it's happening is true, then it's going to be a long slog of banning Brazilian networks for, if not months, then years (with a reported 21,000+ ISPs in Brazil … yeah). Just yesterday, I ended up blocking somewhere around 10 networks before I stopped and asked myself, Myself, how did I get here?
On the one hand,
I don't want to participate in a DDoS attack.
On the other hand,
I don't like the idea of blocking an entire country.
But the attacks just keep on coming.
I could write a program that runs every n minutes,
scans for excessive TCP connections in the SYN_RECV state,
identify the ASN of the offending IP address and block it,
retiring out older blocks to keep from overwhelming the firewall.
It's just that it adds another cog on the server to keep greased,
and the attacks aren't that distruptive on the server—they're just annoying.
Generally, the attacks towards any given Brazilian network would last for a few days then drop off entirely. I also suspect that most of the forged IP addresses are not in use. I attempted to ping a few and never received a reply (although it could be that ping packets were being blocked on the Brazilian side, I was able to ping a few IP addresses in a block that was being attacked but never to an IP address that “sent” a SYN packet).
Ideally to fix this issue, network operators would filter for forged IP traffic at the edge of their networks (where computers connect), and shut off the connection to the compromised computer. Or maybe just nuke every Windows system off the Internet just to make sure.
In the meantime, I give up. I removed all the blocks I've built up over the past few months (70 of them—nearly one a day) and just resigned myself to be an unwilling participant in a Brazilian DDoS attack.
Sigh.