ecs-isp@2rosenthals.com ?????????????? ????? #869 ??????? ??????? ?????

???: "Massimo S." <ecs-isp@2rosenthals.com> ?? ????
?????????
??: Re: [eCS-ISP] injoy fw rules and (ddos) syn_rcved
??: Fri, 6 Sep 2024 10:22:13 +0200
??: ecs-isp@2rosenthals.com

since sometimes SYN DDoS comes and go..
i've tried to do some tests with this Injoy rule
but i don't understand some things

first of all the rules seems do nothing at all
even if i set a smaller value in observe-match-count (300 is way too much..)
i don't see anything in the FW UI, neither in the logs


SYN-Flood
Comment = "Detect incoming SYN flood",
Rule-Action = Observe,
Log-Control = Enabled,
Log-Message = "Detected TCP SYN flood.",
Log-Details = "More than 300 incoming TCP connections from the same user was received within one minute. The SYN flood is a possible (D)DOS attack that tries to open a large number of TCP connections on the attacked host. With all the connection slots taken, the victim will generally not be able to serve regular requests. Often modern Operating Systems have additional defensive techniques to overcome this attack. The attack is logged and attacker is blacklisted.",
Log-Severity = High,
Observation-Period = "1",
Observe-Match-Count = 300,
Direction = Incoming,
Flags = "SYN -FIN -ACK",
Enforce = Yes,

is there a possibility
for a rule to do this:

if i receive a number eg. >20 of these stuff below, on a certain protocol/port:

       0 STREAM           36488        http..80   136.243.53.94  SYN_RCVED

deny or ban that IP?

since i'm not sure about the "Flags = "SYN -FIN -ACK"


thanks a lot for any help


massimo



Il 21/11/2019 00:36, Steven Levine ha scritto:
In <list-3273592@2rosenthals.com>, on 11/20/19
    at 11:01 PM, "Massimo S." <ecs-isp@2rosenthals.com> said:

Hi Massimo,

anyone knows if there is a way to write an injoy fw rules that close a
number of connections in "SYN_RCVED" state?

      0 STREAM           36488        http..80   136.243.53.94  SYN_RCVED
      0 STREAM           21095        http..80   136.243.53.94  SYN_RCVED
      0 STREAM           11324        http..80   136.243.53.94  SYN_RCVED
      0 STREAM           52846        http..80   136.243.53.94  SYN_RCVED
      0 STREAM           63960        http..80   136.243.53.94  SYN_RCVED

Take a look at the SYN-Flood rule in

   rulelib\dos\flood.cnf

i've seen there stuff something like this:

Flags = "+ACK",

but it's not documented, afaik...

It is, but not in tutorial form.

firerule.dct defines:

   ATTRIBUTE    Flags                  68    string

Unfortunately, Flags is a string so you have to search the .cnf files in
the rulelib directory tree for valid values, but there are a number of
examples.

Steven
???????: ????, ??????, ??????.
?????????
??? ????????