In the “DDOS attack solution part 4” we have made the change in the syctl configuration file now to stop the excessive connection to specific port, we will define the rule in the CSF firewall.
In the CSF firewall , we can enable the SYNFLOOD which is disabled by default while we install CSF firewall on the server. We can enable the SYNFLOOD by using the following in the server main CSF firewall configuration file ( /etc/csf/csf.conf file).
SYNFLOOD = “1″
SYNFLOOD_RATE = “50/s”
SYNFLOOD_BURST = “15″
We have defined the following settings and as per above settings if the 50 connections are received from an single IP address per second for 15 times than ip address will be block in the server firewall but its always recommended to make sure that you are not using the lowest settings else it will generate false positives and firewall will block the legit connections as well.
The second valuable settings is PORTFLOOD, this feature does not work on servers that do not have the iptables module ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS server admins should check with their VPS host provider that the iptables module is included
PORTFLOOD
PORTFLOOD = 80;tcp;150;15,22;tcp;15;300
As per above settings, if an ip address makes a 150 connections in 15 sec to port 80 (tcp), then ip address will be blocked in the server firewall and if 15 connections in 300 sec to 22 port than ip address will be blocked, similarly you can also define the other ports as well.
