After the last attacks that we received on the shared
hosting , we added a protection that allows to protect
against this precise attack
The attack consists in opening many
simultaneous connexions (so it's not synflod) ,
then the connexion does nothing and waits the timeout.
We were already protected against this attack
but visibly, some people found how to by-pass
the actual protections.
So we added a limit in terms of number of connexions
that an IP can do on the shared hosting and we fixed
it to 50 simultaneous connexions from an IP. After
that we whitelisted some IPs (google, etc ...)
If an IP reachs the limit of 50 simultaneous connexions,
the firewall does not open during 2 seconds. After 2 seconds
it evaluates the situation and then it takes another decision :
either it's under 50 connexions and it opens the connexion , either
it's in standby for 2 more seconds.
0.0.0.0 /0 lid 1
slb template policy ip_limit
class-list name any
class-list lid 1
over-limit-action lockout 2 log 1
Date: 2011-08-27 12:54:02 UTC p19-77-a10#sh class-list any