How can I block entire C class IP blocks when they send too many SYN packets to my ubuntu 12.04 server?
Example of what I see during a SYN flood attack:
Each different IP only sends 1 SYN packet, so the firewall doesn't block it. But the range 192.132.209.* all together is sending a lot of SYN packets in a very small time period.
Taking 10.0.0.0/24 as an example, something like
iptables -A INPUT -p tcp -s 10.0.0.0/24 --syn -m limit --limit 1/s --limit-burst 3 -j RETURN
should do the job and is quite self-descriptive, so that doesn't need any explanation I guess. Here's a good, easy to read article on how to prevent TCP SYN flood attacks: Linux Iptables Limit the number of incoming tcp connection / syn-flood attacks. It explains more about the options, and provides a more extensive way too (logging, separate chain, etc.).
I can't see the current state of your iptables from here, so you might want to add this at the top of the INPUT chain or integrate it properly in your current scripts.
In the comments you've mentioned you're looking for an automated way of finding these IP blocks. Well, I should just leave out the source address filter in the command (-s 10.0.0.0/8), so the limit will apply to the whole world.
