Today I got a TCP SYN Flood attack on one of my clients.
The attack wasn't that big (~150-200kpps and a few hundred mbps) but it managed to bring almost everything down. The uplink is 10gbit so it was nowhere near physical medium congestion and I confirmed that my upstream did not had any congestion issues either (ie: the attack was not volumetric)
Until FastNetMon kicked in to blackhole the victim's IP, the router was essentially unreachable and everything behind it either had high latency or packet loss.
Winbox and SSH could not connect at all.
I use raw filters to no-track all the forwarded traffic. With UDP attacks even with 1mpps and 7-8gps the router wouldn't even sweat! no-track works like a charm for these attacks!
But with TCP SYN Flood the router just freaked out.
I don't use TCP SYN Cookies nor connection tracking.
For a brief moment I was able to connect with winbox and I saw that most of the cpu usage was on 'networking'.
The router is a CCR1036-8G-2S+ running ROS v6.38.5 with FW v3.33.
Does anyone else has had similar experience with this?
Was this normal? Shouldn't the router just forward the traffic? Why did SYN Flood cause so much cpu usage?
Any tips on how to avoid high CPU usage on future SYN Flood attacks?