I've been wondering if the csf firewall counts the connections for the last CT_INTERVAL seconds and then compares them to the CT_LIMIT value, or it just counts the current (at the moment) connections and then compares them to CT_LIMIT?
Because, if the latter, an attacker can easily guess the CT_INTERVAL, and then flood your server for CT_INTERVAL-1 seconds, and not send any connections right when the firewall checks the connections. Actually, I believe this has happened to us recently, and we had to manually block the offending ip.
Thanks in advance!