On 24/05/16 14:56, Kapetanakis Giannis wrote:
Hi,
I have a couple of questions regarding the timeout of PROXY:SRC states
in a syn-flood DOS scenario (+spoofing). My need is for quick state
deletion of invalid connections on the firewall/router (not on the
server).
I've noticed that only tcp.first is taken into account for state expiry.
age 00:00:05, expires in 00:00:00, 0:0 pkts, 0:0 bytes, rule 0
Then probably the interval timeout is being used for state to be
completely purged from state table. How does this work because I've
seen age reaching up to 20sec and sometimes a lot less. I cant get a
certain clue of which timers are being used.
Also if I'm syncing states between firewalls (on the synproxy rule)
then the entry from
pfctl -si | grep "current entries" is a lot bigger than
pfctl -ss | wc -l
In real attacks it gets up to 1.5M vs 500K
If I do no-sync then the two entries are almost the same. How pfsync
increases the number of states? (I have set skip on $sync_if)
I'm using tcp.first 5 and interval 5. I'm also playing with adaptive
start/end.
Any more recommendations apart from provider's help in mitigation?
best regards,
G
any info on this from someone?
regards,
G
