Hi,
I have a couple of questions regarding the timeout of PROXY:SRC states
in a syn-flood DOS scenario (+spoofing). My need is for quick state
deletion of invalid connections on the firewall/router (not on the server).
I've noticed that only tcp.first is taken into account for state expiry.
age 00:00:05, expires in 00:00:00, 0:0 pkts, 0:0 bytes, rule 0
Then probably the interval timeout is being used for state to be
completely purged from state table. How does this work because I've seen
age reaching up to 20sec and sometimes a lot less. I cant get a certain
clue of which timers are being used.
Also if I'm syncing states between firewalls (on the synproxy rule) then
the entry from
pfctl -si | grep "current entries" is a lot bigger than
pfctl -ss | wc -l
In real attacks it gets up to 1.5M vs 500K
If I do no-sync then the two entries are almost the same. How pfsync
increases the number of states? (I have set skip on $sync_if)
I'm using tcp.first 5 and interval 5. I'm also playing with adaptive
start/end.
Any more recommendations apart from provider's help in mitigation?
best regards,
G
