SYN-attack and emergency mode

[Guest]

[Shadowd]

Hello!

I Have a ddos syn-attack and Comodo goes to emergency mode. I use COMODO to protect my webserver. How can I disable emergency mode? How to adjust Comodo settings to not block all incoming ports when attack is observed. Is there any solution to stay ports open and block atackers IPs?

[grue155]

Welcome to the forums, Shadowd

In v2.4, you can't really disable emergency mode. You can control it to some degree. Click Security -> Advanced, Advanced Attack Detection - Configure, and at the very bottom is the duration of emergency mode. The default is 120 seconds. I don't know if 0 would turn it off, but setting for 1 to 5 seconds would be a good approximation.

It's not possible to do that DDoS detection by port number, as it's timing the volume of traffic that comes in. You can tweak the duration numbers some, but that's the limit of CFP v2.4 capability. CFP v3 is not that different, so the prospect of an upgrade wouldn't gain you much in this instance.

[gibran]

Is there any solution to stay ports open and block atackers IPs?

I guess it's not easy like it seems. Syn attacks usually have spoofed Source IP so blocking those IPs could cause to deny connection from legit sources (this could actually facilitate the attacker purpose) as I guess it is also unlikely that only one fake IP is used to carry on such attacks.

[Tags:]