Be very very very careful if you're going to have an automated black hole function.
The automated black hole itself could be used as a DDoS vector without the need for any botnet -
The firewall rules you posted don't require any amount of bandwidth consumption to be considered an attack - just number of connections/sec.
(and they also include UDP, even though the rules are labeled as SYN rules in their comments)
So I could just port scan a host over and over, and if it gets thrown into a black hole because I port scanned it..... well, I hope the problem is obvious.
If they decided to do this to your DNS server, for instance, then you'd be having a very bad day indeed.
Good point. I have many other rules prior to that one to get rid of port scanners and anyone trying to telnet into servers, etc. My servers are on another chain and go through a different set of rules. I wonder if it would be better to do it based on bandwidth? Since we are a wisp there are limits to how much we offer, so I could, for example create list of anyone having more than X amount of bandwidth flooding them and then black hole them? When an attack is larger than our 1 gig fiber it wouldn't matter if I black holed the entire network since nobody can get online at the time anyways.
The problem with manual is I am the only IT person at this company. If I'm out trying to enjoy my life its a real inconvenience for me when the system needs my attention. But then again, it's not like these happen every day I guess.