I recently "protected" my server with a Zywall USG 100.
I configured Anomalies Detection Prevention against server overload caused by flood attacks (it is simple to do flood attack: hold down F5 Key in your browser when you browse a site and the server will overload).
Parameters: Threshold 20, block period 30 seconds
But... after a flood attack the log shows:
from Any to LAN1, [type=Flood-Detection(8122028)] TCP Flood Action: Block Severity: medium from xx.249.76.163 xx.xx.xx.212 BLOCK DST
BLOCK DST! not BLOCK SRC!!!!!
This means that a flood attack blocks the access to the site not the sourse of the attack! While the Zywall waits the 30 seconds timeout, every website linked to the destination ip address is inaccessible!!!!! OK, CPU goes down.... but also websites!!!!
If I go to Anti-X, ADP, Profile, edit my profile, Traffic Anomaly, I see that the actions are only 2 for flood detection: none or block.
If I go to Protocol Anomaly instead of Traffic anomaly, the Action options are none, drop, reject sender, reject receiver, reject both.
How can I block the source of a flood attack?