How to limit number of states from external ips to one specific internal IP?

  • We've been getting DDoS attacks lately.  RCP SYN floods from 300,000+ random IP addresses, meaning 300,000+ state table entries from random IPs to one specific IP on our network.

    We find that blackholing the target IP helps, but until we notice it the state table can fill up and that causes other issues.

    How can I place a limit on the number of states that can be created from any number of external addresses to one specific internal address?

    The settings I see seem to limit the number of states involving the source IP…


  • You should be able to have a pass rule on WAN from source any, destination "specific IP on your network" and then in the Advanced Features, Advanced Options section choose things like:

    • Maximum state entries this rule can create
    • Maximum number of unique source hosts

    Those should let you limit the "passed" state entries created.

    Of course, you can't tell it to let the genuine connections through and block just the DDOS ones!

  • That would probably wiork. for some cases here…

    But what if I don't know which local IP it will be?  I'd like to set a limit of, say, 10,000 states per internal IP address regardless of the remote IPs.

  • If you do not have hundreds of internal servers, then you can make a rule for each internal server IP as destination. That is work to setup if you have a lot of web servers, so others feel free to add suggestions.

Log in to reply