I read about it, but it does not solve my problem since it doesn’t differentiate between separate source IPs. I mean it doesn’t support a separate counter for each source IP, it’s a global counter.
And also it limits packets per time interval, not connections per time interval (although I could workaround it with tracking SYNs).
will match from a single IP up to 70 new connections (burst) and then 40 new connections in the interval of 5 seconds. The pair src-addr/dst-addr expires in 1 hour (I don’t really understand what happens after it expires).
Will this work as I describe?
IMHO it should be:
add action=jump chain=forward connection-state=new dst-port=80 jump-target=anti-ddos protocol=tcp
add action=return chain=anti-ddos dst-limit=40/5s,70,src-and-dst-addresses/1h
add action=drop chain=anti-ddosLine 2 allows up to 40 new connections in the interval of 5 seconds, line 3 explicitly drops packets if number of new connections is above 40/5s. This post should be also useful for you in case of DDoS attack.
The pair src-addr/dst-addr expires in 1 hour (I don’t really understand what happens after it expires).
All counters for this particular src-addr/dst-addr pair are deleted and measurement starts from beginning.