During a DDOS attack, if we are finding IPs we want to block will we see better performance using a null route as opposed to iptables?
Null routing we would do something like:
ip route add blackhole <ip or range>
In iptables:
/sbin/iptables -A INPUT -s <ip or range> -j DR
Is there no difference? I would suspect route would work better, but am not certain.
Assuming you're blocking based on source address and not destination, then doing the DROP in raw/PREROUTING would work well as you would essentially be able to drop the packet before any routing decision is made.
Remember however that iptables rules are essentially a linked-list and for optimum performance when blocking a number of addresses you should use an ipset.
On the other hand if blocking by destination, there is likely little difference between blocking at the routing table vs iptables EXCEPT if source IPs are spoofed in which case the blackholed entries may consume routing cache resources; in this case, raw/PREROUTING remains preferable.
Your outgoing route isn't going to matter until you try to send a packet back to the attacker. By that time you will have already incurred most of the cost of socket setup and may even have a thread blocking waiting for the kernel to conclude you have no route to host, plus whatever error handling your server process does when it concludes there's a network problem.
iptables or another firewall will allow you to block the incoming traffic and discard it before it reaches the daemon process on your server. It seems clearly superior in this use case.
iptables is is the standard tool for blocking ddos attacks. I happen to have a huge iptables list under very heavy ddos attack and it works very well. I would prefer iptables.
