SYN flooding on port 80 and High 5 minute load average alert

[monkey64]

WHM is running CSF Firewall and I pay my Hosting partner for a Hardware Firewall which they claim they
"provides limited protection against Denial Of Service (DoS) attacks."

A recent email generated by CSF claimed a "High 5 minute load average alert", so I checked var/log/messages.
In there, I found the line:

"TCP: Possible SYN flooding on port 80. Sending cookies."

It seems that there are a large amount of attempts to connect to Port 21 - FTP.
I have this Port disabled in CSF Firewall and allow only the two IP's I ever need to use which prevents unauthorised access. However, it doesn't stop hackers hammering away at the server many times per second and drowning it in requests.

I looked up the 200+ IP's and found they were all from the same district in China.
I do get legitimate Chinese traffic so I can't block the whole country. I have a limit of 100 IP's I can block in CSF, so I could never block this amount.

Is there anything more I should be doing as a "Responsible SysAdmin"?

 

[JaredR.]

I moved this to the Security section for better visibility.

If this problem is affecting the server's performance, one thing you have not mentioned is you can ask your hosting provider if they would be willing to block this in the hardware firewall or even upstream. Whether they will be willing to do this, however, will probably depend on how much effect it is having on the network as a whole.

 

[concerto49]

This is definitely a data center or even the dedicated server providers' problem to be solving. You will need to work with them to see what kind of attacks you are getting and get them to work out how to prevent / deal with it.

They should have the best tools and logs to analyze what's happening. Software firewalls such as CSF really don't help much against proper attacks aimed at you.