iptables -A INPUT -m state --state NEW -m recent --set # If we receive more than 10 connections in 10 seconds block our friend.
iptables -A INPUT -m state --state NEW -m recent --update --seconds 5 --hitcount 15 -j Log-N-Drop
I have these two relevant rules from iptables. if more than 15 connections are made in 5 seconds it logs the attempt and blocks it. How long does iptables maintain the counter? Does it refresh if connections are attempted again?
You can get help on this module by running iptables -m recent --help:
The main option related to your question are:
[!] --update Match if source address in list, also update last-seen time.
So my understanding is that with --update it will refresh, but you would need that update prior to the drop. Therefore if it is first it will 'expire'. The examples on the author's page might help as well. Also the following module parameter comes into play to if more IPs come:
ip_list_tot=100 ; Number of addresses remembered per table
Edit: Honestly, thinking about it more I am a bit confused about all the possible scenerios. I would test this a lot by crafting different source IP addressese with something like scapy for fping. The following module parameter might help as well:
debug=0 ; Set to 1 to get lots of debugging info
Maybe someone will have a better answer who has experimented with the options, sorry :-/
If more than 15 connections are made in five seconds, their connections are refused until five seconds after the last packet was received.
