DDOS attack solution part 5

DDOS attack solution

In the “DDOS attack solution part 4” we have made the change in the syctl configuration file now to stop the excessive connection to specific port, we will define the rule in the CSF firewall.

In the CSF firewall , we can enable the SYNFLOOD which is disabled by default while we install CSF firewall on the server. We can enable the SYNFLOOD by using the following in the server main CSF firewall configuration file ( /etc/csf/csf.conf file).

SYNFLOOD = “1″

SYNFLOOD_RATE = “50/s”

SYNFLOOD_BURST = “15″

We have defined the following settings and as per above settings  if the 50 connections are received from an single IP address per second for 15 times than ip address will be block in the server firewall but its always recommended to make  sure that you are not using the lowest settings else it will generate false positives and firewall will block the legit connections as well.

The second valuable settings is PORTFLOOD, this feature does not work on servers that do not have the iptables module ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS  server admins should check with their VPS host provider that the iptables module is included

PORTFLOOD

PORTFLOOD = 80;tcp;150;15,22;tcp;15;300

As per above settings, if an ip address makes a 150 connections in 15 sec to port 80 (tcp), then ip address will be blocked in the server firewall and if 15 connections in 300 sec to 22 port than ip address will be blocked, similarly you can also define the other ports as well.

 

About Anant 384 Articles
Senior technical writer

1 Trackbacks & Pingbacks

  1. DDOS attack solution part 4 – KTCHost

Comments are closed.