T-Mobile has indeed a feature for DDoS protection. A paid feature. Their reluctance is simply that they don't want to provide it for free, even if that means that you are being disconnected due to the attack. Yes, ISP have a nasty tendency to leave people in a lurch.
One issue I see is that port tcp/65372 is exposed. If you are seeing a lot of established connections, it means these are available to the whole world. Could you limit them in the filter instead? Another change you can make is to more aggressively terminate the unacked connections (IP -> Firewall -> Connections -> Tracking -> TCP Unacked Timeout). By default, this is 5 minutes, which means that the connection will be kept in the half-open state, waiting for the final ACK, for 5 minutes. Consider diminishing this to 1 minute or even 30 seconds.
Looking at the addresses in the screenshot, this seems to be randomly generated, some are assigned to Level3, IBM, ... Unluckily these big guys are attacking you.
One issue I see is that port tcp/65372 is exposed. If you are seeing a lot of established connections, it means these are available to the whole world. Could you limit them in the filter instead? Another change you can make is to more aggressively terminate the unacked connections (IP -> Firewall -> Connections -> Tracking -> TCP Unacked Timeout). By default, this is 5 minutes, which means that the connection will be kept in the half-open state, waiting for the final ACK, for 5 minutes. Consider diminishing this to 1 minute or even 30 seconds.
Looking at the addresses in the screenshot, this seems to be randomly generated, some are assigned to Level3, IBM, ... Unluckily these big guys are attacking you.
Statistics: Posted by vingjfg — Sat Jan 13, 2024 11:03 am