Sync attack or DDOS prevention settings in CSF firewall

The two directives are PORTFLOOD and SYNFLOOD.

SYNFLOOD is disabled by default. If you are not receiving any sort of attack, there is no need to enable it. If you are expecting an attack, enable it and set the rules a bit strict, like




i.e. if 30 connections are received from an IP/sec for 10 times, block it. Make sure don’t keep it too strict if you are not receiving an attack else it will generate false positives and will block legit connections.

PORTFLOOD = 80;tcp;100;5,22;tcp;5;300

ie, If an IP makes 100 connections in 5 sec to port 80 (tcp), then it will be blocked from the server and if 5 connections in 300 sec to 22 port.

Leave a Reply