From: "Massimo S." <ecs-isp@2rosenthals.com>
Received: from [192.168.100.201] (HELO mail.2rosenthals.com)
  by 2rosenthals.com (CommuniGate Pro SMTP 5.4.10)
  with ESMTP id 10820586 for ecs-isp@2rosenthals.com; Fri, 06 Sep 2024 04:22:40 -0400
Received: from secmgr-va.2rosenthals.com ([50.73.8.217]:45430 helo=mail2.2rosenthals.com)
	by mail.2rosenthals.com with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.97.1)
	(envelope-from <ml@ecomstation.it>)
	id 1smUEg-0000000082G-1zlP
	for ecs-isp@2rosenthals.com;
	Fri, 06 Sep 2024 04:22:31 -0400
Received: from mail2.quasarbbs.net ([80.86.52.115]:10001)
	by mail2.2rosenthals.com with esmtp (Exim 4.97.1)
	(envelope-from <ml@ecomstation.it>)
	id 1smUEV-000000004Vf-1N91
	for ecs-isp@2rosenthals.com;
	Fri, 06 Sep 2024 04:22:20 -0400
X-SASI-Hits: BODYTEXTP_SIZE_3000_LESS 0.000000, BODY_SIZE_2000_2999 0.000000,
	BODY_SIZE_5000_LESS 0.000000, BODY_SIZE_7000_LESS 0.000000,
	CTE_7BIT 0.000000, HTML_00_01 0.050000, HTML_00_10 0.050000,
	IN_REP_TO 0.000000, LEGITIMATE_SIGNS 0.000000,
	MSGID_SAMEAS_FROM_HEX_844412 0.100000, MSG_THREAD 0.000000,
	NO_CTA_URI_FOUND 0.000000, NO_URI_HTTPS 0.000000, REFERENCES 0.000000,
	REPLYTO_SAMEAS_FROM 0.000000, SENDER_NO_AUTH 0.000000, SUSP_DH_NEG 0.000000,
	TO_IN_SUBJECT 0.500000, USER_AGENT 0.000000, __ANY_URI 0.000000,
	__BODY_NO_MAILTO 0.000000, __BOUNCE_CHALLENGE_SUBJ 0.000000,
	__BOUNCE_NDR_SUBJ_EXEMPT 0.000000, __CT 0.000000, __CTE 0.000000,
	__CT_TEXT_PLAIN 0.000000, __DQ_NEG_DOMAIN 0.000000, __DQ_NEG_HEUR 0.000000,
	__DQ_NEG_IP 0.000000, __FORWARDED_MSG 0.000000, __FRAUD_BADTHINGS 0.000000,
	__FROM_DOMAIN_NOT_IN_BODY 0.000000, __FROM_NAME_NOT_IN_ADDR 0.000000,
	__FROM_NAME_NOT_IN_BODY 0.000000, __FUR_HEADER 0.000000, __HAS_FROM 0.000000,
	__HAS_MSGID 0.000000, __HAS_REFERENCES 0.000000, __HAS_REPLYTO 0.000000,
	__HEADER_ORDER_FROM 0.000000, __IN_REP_TO 0.000000, __MAIL_CHAIN 0.000000,
	__MAIL_CHAIN_OLD 0.000000, __MIME_BOUND_CHARSET 0.000000,
	__MIME_TEXT_ONLY 0.000000, __MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000,
	__MIME_VERSION 0.000000, __MOZILLA_USER_AGENT 0.000000,
	__MSGID_HEX_844412 0.000000, __NO_HTML_TAG_RAW 0.000000,
	__REFERENCES 0.000000, __REPLYTO_SAMEAS_FROM_ACC 0.000000,
	__REPLYTO_SAMEAS_FROM_ADDY 0.000000, __REPLYTO_SAMEAS_FROM_DOMAIN 0.000000,
	__SANE_MSGID 0.000000, __SCAN_D_NEG 0.000000, __SCAN_D_NEG2 0.000000,
	__SCAN_D_NEG_HEUR 0.000000, __SCAN_D_NEG_HEUR2 0.000000,
	__SUBJ_ALPHA_NEGATE 0.000000, __SUBJ_REPLY 0.000000,
	__TO_IN_SUBJECT 0.000000, __TO_MALFORMED_2 0.000000, __TO_NO_NAME 0.000000,
	__URI_MAILTO 0.000000, __URI_NO_WWW 0.000000, __URI_NS 0.000000,
	__USER_AGENT 0.000000
X-SASI-Probability: 10%
X-SASI-RCODE: 200
X-SASI-Version: Antispam-Engine: 5.1.4, AntispamData: 2024.9.6.75420
X-SASI-Hits: BODYTEXTP_SIZE_3000_LESS 0.000000, BODY_SIZE_2000_2999 0.000000,
	BODY_SIZE_5000_LESS 0.000000, BODY_SIZE_7000_LESS 0.000000,
	CTE_7BIT 0.000000, HTML_00_01 0.050000, HTML_00_10 0.050000,
	IN_REP_TO 0.000000, LEGITIMATE_SIGNS 0.000000,
	MSGID_SAMEAS_FROM_HEX_844412 0.100000, MSG_THREAD 0.000000,
	NO_CTA_URI_FOUND 0.000000, NO_URI_HTTPS 0.000000, REFERENCES 0.000000,
	REPLYTO_SAMEAS_FROM 0.000000, SUSP_DH_NEG 0.000000, TO_IN_SUBJECT 0.500000,
	USER_AGENT 0.000000, __ANY_URI 0.000000, __AUTH_RES_PASS 0.000000,
	__BODY_NO_MAILTO 0.000000, __BOUNCE_CHALLENGE_SUBJ 0.000000,
	__BOUNCE_NDR_SUBJ_EXEMPT 0.000000, __CT 0.000000, __CTE 0.000000,
	__CT_TEXT_PLAIN 0.000000, __DQ_NEG_DOMAIN 0.000000, __DQ_NEG_HEUR 0.000000,
	__DQ_NEG_IP 0.000000, __FORWARDED_MSG 0.000000, __FRAUD_BADTHINGS 0.000000,
	__FROM_DOMAIN_NOT_IN_BODY 0.000000, __FROM_NAME_NOT_IN_ADDR 0.000000,
	__FROM_NAME_NOT_IN_BODY 0.000000, __FUR_HEADER 0.000000, __HAS_FROM 0.000000,
	__HAS_MSGID 0.000000, __HAS_REFERENCES 0.000000, __HAS_REPLYTO 0.000000,
	__HEADER_ORDER_FROM 0.000000, __IN_REP_TO 0.000000, __MAIL_CHAIN 0.000000,
	__MAIL_CHAIN_OLD 0.000000, __MIME_BOUND_CHARSET 0.000000,
	__MIME_TEXT_ONLY 0.000000, __MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000,
	__MIME_VERSION 0.000000, __MOZILLA_USER_AGENT 0.000000,
	__MSGID_HEX_844412 0.000000, __NO_HTML_TAG_RAW 0.000000,
	__REFERENCES 0.000000, __REPLYTO_SAMEAS_FROM_ACC 0.000000,
	__REPLYTO_SAMEAS_FROM_ADDY 0.000000, __REPLYTO_SAMEAS_FROM_DOMAIN 0.000000,
	__SANE_MSGID 0.000000, __SCAN_D_NEG 0.000000, __SCAN_D_NEG2 0.000000,
	__SCAN_D_NEG_HEUR 0.000000, __SCAN_D_NEG_HEUR2 0.000000,
	__SUBJ_ALPHA_NEGATE 0.000000, __SUBJ_REPLY 0.000000,
	__TO_IN_SUBJECT 0.000000, __TO_MALFORMED_2 0.000000, __TO_NO_NAME 0.000000,
	__URI_MAILTO 0.000000, __URI_NO_WWW 0.000000, __URI_NS 0.000000,
	__USER_AGENT 0.000000
X-SASI-Probability: 10%
X-SASI-RCODE: 200
X-SASI-Version: Antispam-Engine: 5.1.4, AntispamData: 2024.9.6.75420
Received: from [192.168.10.199] (dtp [192.168.10.199]) by srv2 (Weasel v2.9-0001
 ) for <ecs-isp@2rosenthals.com>; Fri, 06 Sep 2024 10:09:49 -0000
Reply-To: ml@ecomstation.it
Subject: Re: [eCS-ISP] injoy fw rules and (ddos) syn_rcved
To: ecs-isp@2rosenthals.com
References: <list-3273733@2rosenthals.com>
Organization: Massimo S.
Message-ID: <380b6706-7e5f-80c3-3663-3cd4694dfe91@ecomstation.it>
Date: Fri, 6 Sep 2024 10:22:13 +0200
User-Agent: Mozilla/5.0 (OS/2; U; Warp 4.5; it-IT; rv:1.7.13) Gecko/20060424
 Thunderbird/1.0.8 Mnenhy/0.7.4.0
MIME-Version: 1.0
In-Reply-To: <list-3273733@2rosenthals.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: it-IT
Content-Transfer-Encoding: 7bit

since sometimes SYN DDoS comes and go..
i've tried to do some tests with this Injoy rule
but i don't understand some things

first of all the rules seems do nothing at all
even if i set a smaller value in observe-match-count (300 is way too much..)
i don't see anything in the FW UI, neither in the logs


SYN-Flood	
		Comment = "Detect incoming SYN flood",
		Rule-Action = Observe,
		Log-Control = Enabled,
		Log-Message = "Detected TCP SYN flood.",
		Log-Details = "More than 300 incoming TCP connections from the same user was received within one minute. The 
SYN flood is a possible (D)DOS attack that tries to open a large number of TCP connections on the attacked 
host. With all the connection slots taken, the victim will generally not be able to serve regular requests. 
Often modern Operating Systems have additional defensive techniques to overcome this attack. The attack is 
logged and attacker is blacklisted.",
		Log-Severity = High,
		Observation-Period = "1",
		Observe-Match-Count = 300,
		Direction = Incoming,
		Flags = "SYN -FIN -ACK",
		Enforce = Yes,

is there a possibility
for a rule to do this:

if i receive a number eg. >20 of these stuff below, on a certain protocol/port:

        0 STREAM           36488        http..80   136.243.53.94  SYN_RCVED

deny or ban that IP?

since i'm not sure about the "Flags = "SYN -FIN -ACK"


thanks a lot for any help


massimo



Il 21/11/2019 00:36, Steven Levine ha scritto:
> In <list-3273592@2rosenthals.com>, on 11/20/19
>     at 11:01 PM, "Massimo S." <ecs-isp@2rosenthals.com> said:
> 
> Hi Massimo,
> 
>> anyone knows if there is a way to write an injoy fw rules that close a
>> number of connections in "SYN_RCVED" state?
> 
>>       0 STREAM           36488        http..80   136.243.53.94  SYN_RCVED
>>       0 STREAM           21095        http..80   136.243.53.94  SYN_RCVED
>>       0 STREAM           11324        http..80   136.243.53.94  SYN_RCVED
>>       0 STREAM           52846        http..80   136.243.53.94  SYN_RCVED
>>       0 STREAM           63960        http..80   136.243.53.94  SYN_RCVED
> 
> Take a look at the SYN-Flood rule in
> 
>    rulelib\dos\flood.cnf
> 
>> i've seen there stuff something like this:
> 
>> Flags = "+ACK",
> 
>> but it's not documented, afaik...
> 
> It is, but not in tutorial form.
> 
> firerule.dct defines:
> 
>    ATTRIBUTE    Flags                  68    string
> 
> Unfortunately, Flags is a string so you have to search the .cnf files in
> the rulelib directory tree for valid values, but there are a number of
> examples.
> 
> Steven
>