We are currently getting a lot of TCP flooding attacks. I have a short question regarding the log entry "TCP flood/14". What does the number 14 stand for? Does it represent some IP or TCP flags? Would help me setting up the filters.
Thanks in advance!
Firewall events log "type of TCP flood/14"
-
MortalSeg
- New to forums
- Posts: 4
- https://www.youtube.com/channel/UC40BgXanDqOYoVCYFDSTfHA
- Joined: Thu Aug 20, 2015 10:38 pm
Re: Firewall events log "type of TCP flood/14"
If you are seeing the notice in the event log about the TCP flood, there is no need to set up your own filter for it. When NFO's system detects the attack, they apply a filter at the router to block the traffic, so it never reaches your game server or machine.
Not a NFO employee
Re: Firewall events log "type of TCP flood/14"
Apparently it is detected too late. The laggs ingame are some minutes long before this event shows up. That's why I want to filter such attacks directly.
Re: Firewall events log "type of TCP flood/14"
While the server is lagging, you can use the packet capture tool in detailed mode to get a snapshot of the incoming packets to make a filter.MortalSeg wrote:Apparently it is detected too late. The laggs ingame are some minutes long before this event shows up. That's why I want to filter such attacks directly.
Not a NFO employee
Re: Firewall events log "type of TCP flood/14"
We are doing that but not always right in time.soja wrote:While the server is lagging, you can use the packet capture tool in detailed mode to get a snapshot of the incoming packets to make a filter.
So if anyone knows what the number stands for, please inform me.
Re: Firewall events log "type of TCP flood/14"
Okay, looks like the attack was tcp-ack flooding (probably reflected) against a closed port. I don't know why it's so effective against our service, hopefully a rate-limit filter will help.