That rule matches only against ICMP packets, not SYN packets. I also wouldn't spend time looking into attacks when you don't have DDoS mitigation applied, it will be a pointless venture as you'll constantly be chasing up what had happened instead of being at the forefront. A DDoS mitigation service provider, like may be Cloudflare could help ease the need to understand exactly what sort of attacks you are facing, and besides, bandwidth saturation is inevitable.
#DDOS Extortion
peak snow
peak snow
The rule:
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
indirectly allows the attackers to know that you're rate-limiting their packets, by returning it back to them, thus potentially causing things like amplification attacks. Amplification attacks not only saturate a node's downstream but also their upstream if the firewall rules are improperly configured.
What I would do is to make use of iptables-extensions:
- things like (but are not limited to)
-m conntrack,-m set - setup a way to effectively monitor a packet's flags especially for TCP, identify "bad TCP"
- and effectively block the potential attacker via their IP address if it reaches a specific threshold that I set for bad TCP packets.
All bad IP addresses will effectively not be able to communicate at all with my (firewall) node, as their packets are all-j DROPwhich silently ignores their packets.
This is a rather extreme setup, and still wouldn't be efficient as looking into DDoS mitigation service providers. I must stress that DDoS attacks, especially those with multiple IP addresses as sources, targeting your single node may not be easily thwarted by simply dropping or blocking them. This is like having that one phone line be constantly occupied by unwanted callers, and you have no effective way to stop them without disconnecting that phone line, which would also equate to you not being able to make or receive calls, as a subsequent result.