In <list-10820587@2rosenthals.com>, on 09/06/24
at 10:22 AM, "Massimo S." <ecs-isp@2rosenthals.com> said:
Hi Massimo,
>SYN-Flood
> Comment = "Detect incoming SYN flood",
> Rule-Action = Observe,
> Log-Control = Enabled,
> Log-Message = "Detected TCP SYN flood.",
> Log-Details = "More than 300 incoming TCP connections from the same
> Log-Severity = High,
> Observation-Period = "1",
> Observe-Match-Count = 300,
> Direction = Incoming,
> Flags = "SYN -FIN -ACK",
> Enforce = Yes,
I took the liberty of dropping the Log-Details clause to make the rule
more readable.
I am going to assume you started with the supplied rule from flood.cnf and
copied it to your firerule.cnf and did something to make the same named
rule in dos/flood.cnf go away. If not, you might have two rules withe the
same name which is not allowed.
Did you check ijfw\logs\firewall.log for rule errors?
Observe rule processing is a bit complicated. From my notes
- Rule-Action = Observe
Builds observe rules based on Observation-Rule
Observation-Rule defaults to self
Builds blacklist rule when triggered
Blacklist rule built using Blacklist-Rule as template
Blacklist-Rule defaults to self
From template\firerule.cnf we have
Observation-Rule = "this",
Since the Observation-Rule defaults to this, when the Observe condition is
met, ijfw uses the contents of the SYN-Flood rule to build a dynamic rule
to process the condtion. Any missing settings that ijfw needs to build
the rule will be taken from template\firerule.cnf. This will include
The result will be a rule that logs the flood condiion to
firewall/logs/security.log
Since the Blacklist-Rule defaults to this, when the Observe condition is
met, ijfw again uses the contents of the SYN-Flood rule build a rule to
process the condtion. Again, any missing settings that ijfw needs to
build the rule will be taken from template\firerule.cnf. This will
include
The result should be a rule that blacklists the source for 12 hours.
Now, how to debug this. First make sure the the rule shows up in the
GUI's active rules list. Then make sure that the hit count increases at
the rate you expect. If not, an Observe-Match-Count of 1 should treat
every SYN packet as a DOS attempt. Useful for testing, but not much else.
If you continue to have problems, make a copy of the rule and edit it to
observe some event you know is occurring. Once this rule is working,
backport your changes to the non-working rule.
>is there a possibility
>for a rule to do this:
>if i receive a number eg. >20 of these stuff below, on a certain
>protocol/port:
You can always make a given rule more specialized. Look at
template\firerule.cnf for a list of the available keywords. Look at
template\firerule.dct for the possible value for settings that do not take
string values.
However, you probably don't need this. As I understand it, the Observe
counts are already tracked by ip and port. If not any busy system with
more than 300 connection attempts per minute would have a very large
blacklist file.
>since i'm not sure about the "Flags = "SYN -FIN -ACK"
This is how every typical TCP/IP connection starts. From an ipformat
listing that happens to be hanging around
TCP: Source Port: 56723 (Unassigned port) Dest Port: 110
(Unassigned port)
TCP: Sequence #: 1823628155
TCP: Ack #: 0
TCP: Offset: 28 bytes
TCP: Flags: 02
TCP: ..0. .... Urgent bit Off
TCP: ...0 .... Ack bit Off
TCP: .... 0... Push bit Off
TCP: .... .0.. Reset bit Off
TCP: .... ..1. <SYN> Synchronize bit On
TCP: .... ...0 Finish bit Off
Hindsight says I may not have answered your original question in the best
way back in 2019. You asked.
>> anyone knows if there is a way to write an injoy fw rules that close a
>> number of connections in "SYN_RCVED" state?
The answer is no. While ijfw, can drop packets, it cannot manufacture
them and send them on to the tcp/ip stack.
After all these years, I'm not quite sure I understood what you were
asking back then.
?????