Attack Defense TCP SYN Flooding

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Attack Defense TCP SYN Flooding

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Attack Defense TCP SYN Flooding
Attack Defense TCP SYN Flooding
2023-02-17 09:07:35
Model: OC200  
Hardware Version: V1
Firmware Version: 5.7.6

Hi All

 

Is there a workaround to minimize the attacks, especially the TCP SYN Flooding?

 

I tried to set a gateway ACL and put all detected IPs into a group and deny them from accessing the gateway management page but still, they still show up in the logs.

 

The UPnP and SSH is disabled too. Also, I tried to scan my WANs static IPs for open ports but found nothing.

 

 

 

 

  0      
  0      
#1
Options
5 Reply
Re:Attack Defense TCP SYN Flooding
2023-02-17 13:23:59

  @2Dr 

 

From what I can see 'Gateway ACLs' don't work at all on at least the ER605v1 in controller mode (I was trying to block multiple subnets engaged in SMTP attacks).  To get any relief I had to set it as a bi-directional switch ACL.

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#2
Options
Re:Attack Defense TCP SYN Flooding
2023-02-19 05:27:41

  @d0ugmac1 

 

I hope someone from the moderators can help us mitigate this kind of concern.

I frequently receive TCP SYN FLOOD attacks that last 2-3 minutes and are logged every 5 seconds.

  0  
  0  
#3
Options
Re:Attack Defense TCP SYN Flooding
2023-02-19 14:49:34

  @2Dr

Can your ISP get you a different IP?  Does the attack follow your new IP?  Maybe you are doing something online that has made you an attack target?

 

 if you aren't on a residential internet service you may be able to find a carrier that can offer DDOS protection integrated into their core.  This would scrub the attack traffic before it even hits (floods) your pipe.

 

If that isn't an option you may be able to leverage a commercial VPN service (or two) and let them deal with the problem.

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#4
Options
Re:Attack Defense TCP SYN Flooding
2023-02-19 20:12:01

  @2Dr Any kind of modern SYN flood (and not what this probably is, a false positive or a misbehaving device) can only be effectively stopped by your ISP. 

 

A word of warning, you ISP won't do a damn thing other than plugging YOU off their network if they find a real attack against you. they are not in the DOS protection business but in the "provide a large number people internet service" and a real DOS will hurt their bottom line due to disruption of the medium shared by possibly thousands of customers.

 

If you are really lucky they will find it by themselves and null route the device.

  0  
  0  
#5
Options
Re:Attack Defense TCP SYN Flooding
2023-02-20 00:30:37

  @crrodriguez 

I know ISPs don't care about DoS protection unless they offer that add-on service. 

 

Right now, I am sure that the TCP SYN Flood came from my primary WAN. I hope on the next update, they consider adding the WAN interface and port from the current attack source IP only.

 

 

  0  
  0  
#6
Options