Skip to main content

CWP : How Configure DDOS Prevention Settings in CSF firewall ?

Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are common threats that every publicly accessible web server faces. The purpose of such attacks, in simplest terms, is to flood a server with connections, overloading it and preventing from accepting legitimate traffic.

Step #1: SYNflood Protection

A SYNflood attack is a DoS attack exploiting the TCP (Transmission Control Protocol) connection process itself. In basic terms, a TCP connection is established using a three-way handshake:
  • The client (incoming connection) sends a synchronization packet (SYN) to the server.
  • The server responds with a synchronization acknowledgement (SYN/ACK) to the client.
  • The client then responds with an acknowledgement (ACK) back to the server.
A SYNflood attack manipulates that three-way handshake by initiating multiple synchronization requests and then refusing to respond with any final acknowledgements. On a Linux server, you can quickly check for SYN packets by running this command over SSH:
# netstat -nap | grep SYN -c
It’s important to note that the presence of SYN packets does not necessarily mean that a server actually is under SYNflood attack.If you know that the server is under attack, you can configure CSF to help mitigate this type of attack. Otherwise skip.

  1. To enable SYNflood protection, locate the Port Flood Settings section of the Firewall Configuration page.
This synflood protection will act if there are 50 connections from a single IP / sec for over 75 times. If it match those rules, then the IP will be blocked. This must not be too strict, otherwise you will be blocking legitimate connections.

Step #2: Outgoing UDP Flood Protection

This option limits outbound UDP packet floods. These typically originate from exploit scripts uploaded through vulnerable web scripts. Care should be taken on servers that use services that utilise high levels of UDP outbound traffic, such as SNMP, so you may need to alter the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment. We recommend enabling User ID Tracking (UID_INTERVAL) with this feature.

Step #3: Save Your Changes and Restart the Firewall