dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1039
share rss forum feed


Stefanino

@telecomitalia.it

How Block Source of ADP attack instead Destination

Hi!

I recently "protected" my server with a Zywall USG 100.

I configured Anomalies Detection Prevention against server overload caused by flood attacks (it is simple to do flood attack: hold down F5 Key in your browser when you browse a site and the server will overload).

Parameters: Threshold 20, block period 30 seconds

But... after a flood attack the log shows:

from Any to LAN1, [type=Flood-Detection(8122028)] TCP Flood Action: Block Severity: medium from xx.249.76.163 xx.xx.xx.212 BLOCK DST

BLOCK DST! not BLOCK SRC!!!!!

This means that a flood attack blocks the access to the site not the sourse of the attack! While the Zywall waits the 30 seconds timeout, every website linked to the destination ip address is inaccessible!!!!! OK, CPU goes down.... but also websites!!!!

If I go to Anti-X, ADP, Profile, edit my profile, Traffic Anomaly, I see that the actions are only 2 for flood detection: none or block.

If I go to Protocol Anomaly instead of Traffic anomaly, the Action options are none, drop, reject sender, reject receiver, reject both.

How can I block the source of a flood attack?

Thanks!!!!!!!!


imanon

@comcast.net
Why not just make a firewall rule to Deny the outside IP that is bothering you?

Otherwise I would expect that "drop" or "reject sender" are the options you want.