| From: |
"Massimo S." <ecs-isp@2rosenthals.com> |
Full Headers
Undecoded message |
| Subject: |
Re: [eCS-ISP] injoy fw rules and (ddos) syn_rcved |
| Date: |
Fri, 6 Sep 2024 10:22:13 +0200 |
| To: |
ecs-isp@2rosenthals.com |
|
|---|
since sometimes SYN DDoS comes and go..
i've tried to do some tests with this Injoy rule
but i don't understand some things
first of all the rules seems do nothing at all
even if i set a smaller value in observe-match-count (300 is way too much..)
i don't see anything in the FW UI, neither in the logs
SYN-Flood
Comment = "Detect incoming SYN flood",
Rule-Action = Observe,
Log-Control = Enabled,
Log-Message = "Detected TCP SYN flood.",
Log-Details = "More than 300 incoming TCP connections from the same user was received within one minute. The SYN flood is a possible (D)DOS attack that tries to open a large number of TCP connections on the attacked host. With all the connection slots taken, the victim will generally not be able to serve regular requests. Often modern Operating Systems have additional defensive techniques to overcome this attack. The attack is logged and attacker is blacklisted.",
Log-Severity = High,
Observation-Period = "1",
Observe-Match-Count = 300,
Direction = Incoming,
Flags = "SYN -FIN -ACK",
Enforce = Yes,
is there a possibility
for a rule to do this:
if i receive a number eg. >20 of these stuff below, on a certain protocol/port:
0 STREAM 36488 http..80 136.243.53.94 SYN_RCVED
deny or ban that IP?
since i'm not sure about the "Flags = "SYN -FIN -ACK"
thanks a lot for any help
massimo
Il 21/11/2019 00:36, Steven Levine ha scritto:
In <list-3273592@2rosenthals.com>, on 11/20/19
at 11:01 PM, "Massimo S." <ecs-isp@2rosenthals.com> said:
Hi Massimo,
anyone knows if there is a way to write an injoy fw rules that close a
number of connections in "SYN_RCVED" state?
0 STREAM 36488 http..80 136.243.53.94 SYN_RCVED
0 STREAM 21095 http..80 136.243.53.94 SYN_RCVED
0 STREAM 11324 http..80 136.243.53.94 SYN_RCVED
0 STREAM 52846 http..80 136.243.53.94 SYN_RCVED
0 STREAM 63960 http..80 136.243.53.94 SYN_RCVED
Take a look at the SYN-Flood rule in
rulelib\dos\flood.cnf
i've seen there stuff something like this:
Flags = "+ACK",
but it's not documented, afaik...
It is, but not in tutorial form.
firerule.dct defines:
ATTRIBUTE Flags 68 string
Unfortunately, Flags is a string so you have to search the .cnf files in
the rulelib directory tree for valid values, but there are a number of
examples.
Steven
|