Hey everyone,
I am currently trying to get a better understanding of SecureXL's PenaltyBox and SYN Attack feature. For that, I set up a Lab with R81 Mgmt & Gateway. On the external interface is the attacker machine and on the internal interface is a target running a webserver.
To simulate a SYN Attack I use hping3 on the attacker machine and flood the webserver with syns.
On the Gateway I have enabled Penalty Box and SYN Defender, with the only configuration change setting the Global Threshold for Syn Defender to 1000 connections via cli. If I understand correctly, once the gateway has more than 1000 half-opened connections, SYN Attack Defender will become active and is enforced before the penalty box?
I tried two different scenarios:
- Flood the target with the original IP of Attacker PC
- Flood the target with a spoofed IP on Attacker PC
Scenario 1 Flooding with original src IP:
sudo hping3 -c 15000 -d 0 -S -w 64 -p 80 --flood 192.168.1.142
Behavior on the GW:
- the attacker is put into the penalty box after a few seconds, future packets getting dropped.
- the peak of fw connections table entries right after the attack is ~100k and then drops rapidly (aggressive aging?)
- SecureXL connection table doesnt contain any entries
- tcpdump shows packets exiting the outgoing interface until put in pbox
- SYN Defender shows active and "Under Attack" and sends cookies as expected, connection table doesn't fíll anymore.
- Kernel debug shows that the pbox violation counter is updated until it hits the threshold.
Scenario 2 Flooding with spoofed src IP
sudo hping3 -c 15000 -d 0 -S -w 64 -p 80 --flood 192.168.1.142 -a 53.52.51.50
Behavior on the GW:
- the attacker is not put into the penalty box
- the peak of connection table entries right after the attack is ~150k and the connections dont seem to age out until the default 25 second timer is reached.
- SecureXL connection table is beeing filled aswell
- tcpdump captures incoming and outgoing packets w. spoofed ip
- SYN Defender shows active and "Under Attack" and sends cookies as expected, connection table doesn't fíll anymore.
- kernel debug shows that the pbox violation counter isn't updating
Now I have a few questions:
Why is the Attacker is the Attacker in Scenario 1 put into the penalty box but not in Scenario 2? They match the same rule in the rulebase but somehow in Scenario 2, the counter either doesn't get updated or doesn't exceed the threshold..?
A somewhat borad question: How would you defend against a real ddos attack where you have thousands of different source ips?