Sync attack or DDOS prevention settings in CSF firewall
Sunday, November 15th, 2015The two directives are PORTFLOOD and SYNFLOOD.
SYNFLOOD
SYNFLOOD is disabled by default. If you are not receiving any sort of attack, there is no need to enable it. If you are expecting an attack, enable it and set the rules a bit strict, like
SYNFLOOD = “1? SYNFLOOD_RATE = “30/s” SYNFLOOD_BURST = “10? i.e. if 30 connections are received from an IP/sec for 10 times, block it. Make sure don’t keep it too strict if you are not receiving an attack else it will generate false positives and will block legit connections. PORTFLOOD
PORTFLOOD = 80;tcp;100;5,22;tcp;5;300 ie, If an IP makes 100 connections in 5 sec to port 80 (tcp), then it will be blocked from the server and if 5 connections in 300 sec to 22 port.