User tripping port flood rules in csf

[retired1af]

This one isn't so much about how to protect a server, but rather why a specific user is tripping the port flood rule. I use csf on the server, and port 80 is set to: 80;tcp;20;5 (20 connections within 5 seconds).

The user is using XP and Firefox. He's an elderly gentleman and has been a member of the site for many, many years. So anything overtly malicious on his part is ruled out.

What I'm trying to figure out is why he's tripping this rule, and what could be on his machine that causes this behavior, whether it's a Firefox addon or something else. Has anyone else run across something like this?

[Mudgen]

Have not run across this, but any chance someone may have been in his about:config and changed any of the network.http.* settings? Especially network.http.pipelining, which defaults to false? If you turned that on and upped network.http.pipelining.maxrequests up to 30 from the default 4 it could do what you're seeing, and there are Firefox tweaking guides out there that suggest doing this to speed up the browser.

[rcgreen]

It might be Fasterfox

Dynamic speed increases can be obtained with the unique prefetching mechanism, which recycles idle bandwidth by silently loading and caching all of the links on the page you are browsing.

https://addons.mozilla.org/en-US/firefox/addon/1269/

[retired1af]

We've narrowed it down to his modem/router combination. He gave me a key indicator yesterday when he mentioned his laptop running IE also was having issues hitting the site. I'm pouring over the documentation for his modem/router combo to see if there's anything in those settings that would trip anything up.

Strange thing is, up to a few weeks ago, he wasn't having issues. I upgraded csf a couple of weeks ago, and I suspect there may be a corelation there.

Still digging into this one.

[Mudgen]

Sounds like a good component isolation. Please do post back if you figure it out. If I can't help, I'd like to learn something.