behaviour with pbox and synatk

Mastering Compliance
Unveiling the power of Compliance Blade

WATCH NOW

SASE Masters:
Deploying Harmony SASE for a 6,000-Strong Workforce
in a Single Weekend

May the 4th (+4)
Navigating Paradigm Shifts in Cyber

CPX 2024 Content
is Here!

Get What You Need

Harmony SaaS
The most advanced prevention
for SaaS-based threats

LEARN MORE

CheckMates Go:
CPX 2024 Recap

LISTEN NOW

Create a Post

Hey everyone,

I am currently trying to get a better understanding of SecureXL's PenaltyBox and SYN Attack feature. For that, I set up a Lab with R81 Mgmt & Gateway. On the external interface is the attacker machine and on the internal interface is a target running a webserver.
To simulate a SYN Attack I use hping3 on the attacker machine and flood the webserver with syns.

On the Gateway I have enabled Penalty Box and SYN Defender, with the only configuration change setting the Global Threshold for Syn Defender to 1000 connections via cli. If I understand correctly, once the gateway has more than 1000 half-opened connections, SYN Attack Defender will become active and is enforced before the penalty box?

I tried two different scenarios:

Flood the target with the original IP of Attacker PC
Flood the target with a spoofed IP on Attacker PC

Scenario 1 Flooding with original src IP:

sudo hping3 -c 15000 -d 0 -S -w 64 -p 80 --flood 192.168.1.142

Behavior on the GW:

the attacker is put into the penalty box after a few seconds, future packets getting dropped.
the peak of fw connections table entries right after the attack is ~100k and then drops rapidly (aggressive aging?)
SecureXL connection table doesnt contain any entries
tcpdump shows packets exiting the outgoing interface until put in pbox
SYN Defender shows active and "Under Attack" and sends cookies as expected, connection table doesn't fíll anymore.
Kernel debug shows that the pbox violation counter is updated until it hits the threshold.

Scenario 2 Flooding with spoofed src IP

sudo hping3 -c 15000 -d 0 -S -w 64 -p 80 --flood 192.168.1.142 -a 53.52.51.50

Behavior on the GW:

the attacker is not put into the penalty box
the peak of connection table entries right after the attack is ~150k and the connections dont seem to age out until the default 25 second timer is reached.
SecureXL connection table is beeing filled aswell
tcpdump captures incoming and outgoing packets w. spoofed ip
SYN Defender shows active and "Under Attack" and sends cookies as expected, connection table doesn't fíll anymore.
kernel debug shows that the pbox violation counter isn't updating

Now I have a few questions:

Why is the Attacker is the Attacker in Scenario 1 put into the penalty box but not in Scenario 2? They match the same rule in the rulebase but somehow in Scenario 2, the counter either doesn't get updated or doesn't exceed the threshold..?

A somewhat borad question: How would you defend against a real ddos attack where you have thousands of different source ips?