Attack Defense TCP SYN Flooding
Hi All
Is there a workaround to minimize the attacks, especially the TCP SYN Flooding?
I tried to set a gateway ACL and put all detected IPs into a group and deny them from accessing the gateway management page but still, they still show up in the logs.
The UPnP and SSH is disabled too. Also, I tried to scan my WANs static IPs for open ports but found nothing.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
From what I can see 'Gateway ACLs' don't work at all on at least the ER605v1 in controller mode (I was trying to block multiple subnets engaged in SMTP attacks). To get any relief I had to set it as a bi-directional switch ACL.
- Copy Link
- Report Inappropriate Content
I hope someone from the moderators can help us mitigate this kind of concern.
I frequently receive TCP SYN FLOOD attacks that last 2-3 minutes and are logged every 5 seconds.
- Copy Link
- Report Inappropriate Content
Can your ISP get you a different IP? Does the attack follow your new IP? Maybe you are doing something online that has made you an attack target?
if you aren't on a residential internet service you may be able to find a carrier that can offer DDOS protection integrated into their core. This would scrub the attack traffic before it even hits (floods) your pipe.
If that isn't an option you may be able to leverage a commercial VPN service (or two) and let them deal with the problem.
- Copy Link
- Report Inappropriate Content
@2Dr Any kind of modern SYN flood (and not what this probably is, a false positive or a misbehaving device) can only be effectively stopped by your ISP.
A word of warning, you ISP won't do a damn thing other than plugging YOU off their network if they find a real attack against you. they are not in the DOS protection business but in the "provide a large number people internet service" and a real DOS will hurt their bottom line due to disruption of the medium shared by possibly thousands of customers.
If you are really lucky they will find it by themselves and null route the device.
- Copy Link
- Report Inappropriate Content
I know ISPs don't care about DoS protection unless they offer that add-on service.
Right now, I am sure that the TCP SYN Flood came from my primary WAN. I hope on the next update, they consider adding the WAN interface and port from the current attack source IP only.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1533
Replies: 5
Voters 0
No one has voted for it yet.