[SYN flood attack] how to ban IP blocks if...

Post Reply
TheBronx
Junior Member
Posts: 5
Joined: 09 Jun 2012, 20:55

[SYN flood attack] how to ban IP blocks if...

Post by TheBronx »

Hi all. I've been working in mitigating the attacks I'm suffering in my server and now I have a question.
Is it possible to block IP ranges (IP blocks) when lets say 4 or more IPs from that block are already banned?
Here is a small capture of the traffic on port 80 during the last attack:

http://i.imgur.c om/m1oly.png (remove the space, sorry I can't post links)

(there is no filter in the capture, only port 80 connections)

It is just an example, I don't want to manually block 192.132.209.* cause there are a lot of blocks, not just a few ones. I want the firewall to block them automatically. Is it possible?

SYNFLOOD is currently enabled:

Code: Select all

SYNFLOOD = "1"
SYNFLOOD_RATE = "30/s"
SYNFLOOD_BURST = "10"
The attacks are under 50Mbps usually.

Thank you!
TheBronx
Junior Member
Posts: 5
Joined: 09 Jun 2012, 20:55

Re: [SYN flood attack] how to ban IP blocks if...

Post by TheBronx »

another idea:
save a registry of SYN packets sent from each /24 IP block.

Example:
192.132.209.* -> 24 SYN packets
105.75.136.* -> 2 SYN packets
217.160.69.* -> 15 SYN packets
...


Every 1 minute (for example) the counter is resetted.
If a range reaches 30 packets, the entire /24 block is banned.

Why this idea? because if the attack comes from a ton of IPs, and each IP only sends a few SYN packets, CSF will do nothing.

Am I wrong? is it a good idea? is it possible? I'm not the expert, I'm just a user, and a syn flood attack victim...

Thanks in advance!
Post Reply