How does CT_LIMIT (the csf firewall setting) work?

Question

I've been wondering if the csf firewall counts the connections for the last CT_INTERVAL seconds and then compares them to the CT_LIMIT value, or it just counts the current (at the moment) connections and then compares them to CT_LIMIT?

Because, if the latter, an attacker can easily guess the CT_INTERVAL, and then flood your server for CT_INTERVAL-1 seconds, and not send any connections right when the firewall checks the connections. Actually, I believe this has happened to us recently, and we had to manually block the offending ip.

Thanks in advance!

Answer 1

Since nobody answered, I downloaded the csf firewall source code, and checked how the CT_LIMIT parameter is used. Apparently the connections information is read from /proc/net/tcp|udp|etc.., which contains only the current connections to the server.

So it appears an attacker can easily circumvent the cfs firewall DOS protection by pausing at the time the firewall verifies the current active connections.

A temporary workaround could be to set the CT_INTERVAL to 10 seconds (that's the minimum), hence force the firewall to check for current connections on every 10 seconds. This would make it harder for an attacker to guess the exact time he has to pause the attack.