Feature Request: better SYN flood DDOS protection

I’m dealing with a B One which is under attack from a DDOS SYN flood style attack.

Although the Peplink Firewall claims to block thes sorts of attacks, they are still getting through.

Here’s a macOS bash script to diagnose the attack, counting the # of connections stuck in the SYN_RCVD state:

SYN Flood Logger for macOS
Edit: I have a nice bash script, but the forum software is giving me 403 errors when I try to include it.  Likely it doesn't allow some of the keywords in the script?  Please send me a PM if you want a copy.

Here is the output of this script on a server under attack:

./syn_flood_logger.sh
--------------------------------------------
Connections stuck in SYN_RCVD
--------------------------------------------
IP Address         Connections  Country
--------------------------------------------
165.154.8.10       16           India
128.14.226.122     21           Taiwan
91.124.18.144      15           The Netherlands
152.32.181.65      17           United Arab Emirates
101.36.97.173      15           United Kingdom
169.197.113.233    14           United Kingdom
107.150.105.104    18           United States
23.93.33.203       10           United States

In the past, I was able to stop this attack using Regional blocking: Link as the attack was originating from a single country (Brazil).

However, as you can see now, the attack is coming from all over the globe (I suspect residential proxies are being used).

Feature Request

  • Improve the built-in DDOS protection rules to catch and block these sorts of attacks
  • Allow us to customize these rules, for example “If _____ SYN packets are received from the same IP within ____ seconds, block the IP for _____ seconds”
  • Add logging so we can see when this DDOS protection is working
4 Likes