On Thu, 21 Dec 2023, David Christensen wrote:
Perhaps you could set up a DMZ, move services into the DMZ, and provide a
VPN connection to the DMZ for your Internet users. Then you could close all
of the incoming WAN ports except VPN.
It might be possible to put the VPN endpoint into a VPS, create an SSH tunnel
out from the httpd server to the VPS, and close all of the WAN incoming
ports.
If the OP is worried about the bandwidth usage then none of that will
help. The fact that the OP is not sending a SYN+ACK (according to the
tcpdumps that I saw) means that this is already blackholed.[2]
There are three options at this point:
1. Ignore it - my "EVILSYN[1]" blacklist is right at the top of my iptables
rules and drops without logging before anything else.
2. Talk to their ISP and get it blocked there - that's the only surefire
way to stop it eating their quota if that's the problem.
3. Try and make them give up - that's why I suggested sending a RST.
[1] I have a set of rules that blacklist IPs that send too many SYN
packets that are not responded to with SYN+ACK.
[2] This did look weird. I'm not sure how only some connections get a
SYN+ACK back - I wonder if their webserver is rate-limited and these are
"genuine" connection attempts that are failing - although the SPT=80
DPT=80 looks suspiciously like something crafted to get through naive
stateless firewall rules that rely on outgoing (allowed) connections to
have DPT=80 to the internet and SPT=80 from the internet.
