Recently my network has been the victim of attacks on port 80. There will be hundreds of connections from the same source ip connecting to my customers public ip address. The connections will max out their bandwidth and make it nearly impossible for them to even browse the internet.
I’ve identified multiple offending ip addresses but I’m almost positive that they are spoofed and they change often. Looking up the ip addresses usually ends up being some legit company like microsoft, google, amazon, etc.
I can sit for hours, if the attacks last that long, and add offending ip blocks to an address list that drops them. This will also drop legit traffic to/from those ip blocks.
Question – Is there a firewall rule that will limit incoming connections on the wan interface from any ip address without adversly affecting normal traffic?
My goal isn’t going to stop the DOS but lessen the impact of the attack.
is your problem facing with hit maximum bandwidth upload to outside global? and consume high CPU?
if above problem, please go to IP->DNS and check-out “allow remote dns” box. if it’s enabled, it will load high CPU and full/max upload bandwidth with some outside networks are trying to request DNS from your routerboard.
Hitting maximum bandwidth for the customers under attack.
CPU load on my edge router is fine. Haven’t looked at the cpu load on the customer cpe, but imagine its high.
It’s not a dns attack. It’s TCP port 80.