I experienced my first DDoS attack on my W5500-based system yesterday and failed the test miserably. But I captured the attack with WireShark and came up with a strategy of recording the system time when each socket first enters the SYNRECV state and forcibly closing them if they remain in that state longer than some timeout period.
In the long term I’ll make this timeout a configurable parameter, but in the short term I’m experimenting to identify a potential default value. I tested with 5ms and 10ms today, but saw remote visitors’ connections timing out at both, so I’ve increased it to 20ms. I understand that making it too low will prevent legitimate traffic from high-latency connections from using my system, so I’m trying to find a balance between making my system semi-usable during attacks and rejecting legitimate traffic.
I added a “Delta Time” column to my WireShark capture display and sorted the attack data by time between incoming SYN packets. Scrolling down suggests that a 20ms timeout would have allowed me to reject ~80% of packets received during the attack without expending significant resources other than the socket itself.
One other thought… I could set the initial timeout quite high, and add code to detect a SYN Flood DDoS attack. When an attack is detected I could reduce the timeout, then increase it once the attack ends.
Has anyone else tackled this problem, and if so, what approach did you use and how well did it work?