From: "Steven Levine" Received: from [192.168.100.201] (HELO mail.2rosenthals.com) by 2rosenthals.com (CommuniGate Pro SMTP 5.4.10) with ESMTP id 10830921 for ecs-isp@2rosenthals.com; Sun, 08 Sep 2024 00:33:50 -0400 Received: from secmgr-va.2rosenthals.com ([50.73.8.217]:55080 helo=mail2.2rosenthals.com) by mail.2rosenthals.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.97.1) (envelope-from ) id 1sn9cR-000000003zX-1ZGL for ecs-isp@2rosenthals.com; Sun, 08 Sep 2024 00:33:47 -0400 Received: from mta-102a.earthlink-vadesecure.net ([51.81.61.66]:46377) by mail2.2rosenthals.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.97.1) (envelope-from ) id 1sn9cP-000000000ML-14vw for ecs-isp@2rosenthals.com; Sun, 08 Sep 2024 00:33:45 -0400 DKIM-Signature: v=1; a=rsa-sha256; bh=qDVJpwZDYV9D/CevNMjKo55YtGkQ9YSOPequvW w1ygU=; c=relaxed/relaxed; d=earthlink.net; h=from:reply-to:subject: date:to:cc:resent-date:resent-from:resent-to:resent-cc:in-reply-to: references:list-id:list-help:list-unsubscribe:list-unsubscribe-post: list-subscribe:list-post:list-owner:list-archive; q=dns/txt; s=dk12062016; t=1725770024; x=1726374824; b=aK4hTCUX2NvH+4AG2owqDKp67St yFdfZfsDzl9O+N4g6vDIisX0ww7pp+VuHnbjrxGrp25Eh1v+reFfqsmSjv4s3uffxLefEyi yaAxIER6tbVt25kn7FB9fnakIi7BeSvNTr2uFT/wP6eJACR5D6x18PnrDenM/bO2+Jr0jE9 gScEf2Jm2rPT0aqQBM4XaL4vIu/NPpZQCyRI8eMKFxgSDHeaT5IJNwlwEdpXiHEELmLHSiD f/i41z4rsnNCAZWZYB/Xo9f7yRtDQQspj8TNYM0c8/heY+YMGYKoBZJN2RCbdE5NOUrFpE+ gjAT1UNb+zLZpjkOZ5HhC5dP7AuGHEQ== Received: from slamain ([172.58.115.36]) by vsel1nmtao02p.internal.vadesecure.com with ngmta id 88175a10-17f32ab17a8fe3e8; Sun, 08 Sep 2024 04:33:44 +0000 Message-ID: <66dd13d5.11.mr2ice.fgrirsq@earthlink.net> Date: Sat, 07 Sep 2024 20:02:45 -0700 To: "eCS ISP Mailing List" In-Reply-To: Subject: Re: [eCS-ISP] injoy fw rules and (ddos) syn_rcved X-Mailer: MR/2 Internet Cruiser Edition for OS/2 v3.00.11.24/60 In , on 09/06/24 at 10:22 AM, "Massimo S." said: Hi Massimo, >SYN-Flood > Comment = "Detect incoming SYN flood", > Rule-Action = Observe, > Log-Control = Enabled, > Log-Message = "Detected TCP SYN flood.", > Log-Details = "More than 300 incoming TCP connections from the same > Log-Severity = High, > Observation-Period = "1", > Observe-Match-Count = 300, > Direction = Incoming, > Flags = "SYN -FIN -ACK", > Enforce = Yes, I took the liberty of dropping the Log-Details clause to make the rule more readable. I am going to assume you started with the supplied rule from flood.cnf and copied it to your firerule.cnf and did something to make the same named rule in dos/flood.cnf go away. If not, you might have two rules withe the same name which is not allowed. Did you check ijfw\logs\firewall.log for rule errors? Observe rule processing is a bit complicated. From my notes - Rule-Action = Observe Builds observe rules based on Observation-Rule Observation-Rule defaults to self Builds blacklist rule when triggered Blacklist rule built using Blacklist-Rule as template Blacklist-Rule defaults to self From template\firerule.cnf we have Observation-Rule = "this", Since the Observation-Rule defaults to this, when the Observe condition is met, ijfw uses the contents of the SYN-Flood rule to build a dynamic rule to process the condtion. Any missing settings that ijfw needs to build the rule will be taken from template\firerule.cnf. This will include Log-Mask = "date time severity message resolved_source_s resolved_dest_s dump", Log-File = "firewall/logs/security.log", Log-Size = 2000, The result will be a rule that logs the flood condiion to firewall/logs/security.log Since the Blacklist-Rule defaults to this, when the Observe condition is met, ijfw again uses the contents of the SYN-Flood rule build a rule to process the condtion. Again, any missing settings that ijfw needs to build the rule will be taken from template\firerule.cnf. This will include Blacklist-Period = "0:12:0", Blacklist-Rule = "this", The result should be a rule that blacklists the source for 12 hours. Now, how to debug this. First make sure the the rule shows up in the GUI's active rules list. Then make sure that the hit count increases at the rate you expect. If not, an Observe-Match-Count of 1 should treat every SYN packet as a DOS attempt. Useful for testing, but not much else. If you continue to have problems, make a copy of the rule and edit it to observe some event you know is occurring. Once this rule is working, backport your changes to the non-working rule. >is there a possibility >for a rule to do this: >if i receive a number eg. >20 of these stuff below, on a certain >protocol/port: > 0 STREAM 36488 http..80 136.243.53.94 >SYN_RCVED >deny or ban that IP? You can always make a given rule more specialized. Look at template\firerule.cnf for a list of the available keywords. Look at template\firerule.dct for the possible value for settings that do not take string values. However, you probably don't need this. As I understand it, the Observe counts are already tracked by ip and port. If not any busy system with more than 300 connection attempts per minute would have a very large blacklist file. >since i'm not sure about the "Flags = "SYN -FIN -ACK" This is how every typical TCP/IP connection starts. From an ipformat listing that happens to be hanging around TCP: Source Port: 56723 (Unassigned port) Dest Port: 110 (Unassigned port) TCP: Sequence #: 1823628155 TCP: Ack #: 0 TCP: Offset: 28 bytes TCP: Flags: 02 TCP: ..0. .... Urgent bit Off TCP: ...0 .... Ack bit Off TCP: .... 0... Push bit Off TCP: .... .0.. Reset bit Off TCP: .... ..1. Synchronize bit On TCP: .... ...0 Finish bit Off Hindsight says I may not have answered your original question in the best way back in 2019. You asked. >> anyone knows if there is a way to write an injoy fw rules that close a >> number of connections in "SYN_RCVED" state? The answer is no. While ijfw, can drop packets, it cannot manufacture them and send them on to the tcp/ip stack. After all these years, I'm not quite sure I understood what you were asking back then. Steven -- ---------------------------------------------------------------------- "Steven Levine" Warp/DIY/BlueLion etc. www.scoug.com www.arcanoae.com www.warpcave.com ----------------------------------------------------------------------