From owner-freebsd-pf@FreeBSD.ORG Mon Aug 20 15:53:11 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 37DE3106566C for ; Mon, 20 Aug 2012 15:53:11 +0000 (UTC) (envelope-from jdavidlists@gmail.com) Received: from mail-vb0-f54.google.com (mail-vb0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id DD12D8FC1B for ; Mon, 20 Aug 2012 15:53:10 +0000 (UTC) Received: by vbmv11 with SMTP id v11so7191961vbm.13 for ; Mon, 20 Aug 2012 08:53:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; bh=sXX3PGeNnqTuMZdhd9eehl6BoAWIh5wEVCzsQlwCXds=; b=sMAqNjZq5/4EBYU5TqIq9d74pOIX3XPZjI5WCfYKEsIz0fh++/y7EL//hJZGtJt77c npR3GW2jBCWMGyvbr6Eg6hJMTIhEfr20fBZo/tmgc7y36vXI9rt1an5VN4T0OEZVGOZt cdeEG42xCQP6ZuC0XfUeXAQdJERUE/IMxajqdRXfMG2MxwGP5YOZGeE0yIUc8TFpNr6H fFvMgKFKa9mktqUCxFRDyeIfCls5md7W8QjS5DnlJZ6w0u8rhQ7SImhT8nvgBRaBgQgP G4Sm66VRktON+Jk6V39eIIsEpvupEbLBMO2TP3TmUy7Q3I1lZmEA2VU0qQkJ39yAo2xZ uFKA== MIME-Version: 1.0 Received: by 10.52.74.6 with SMTP id p6mr8983779vdv.117.1345477989908; Mon, 20 Aug 2012 08:53:09 -0700 (PDT) Sender: jdavidlists@gmail.com Received: by 10.59.7.163 with HTTP; Mon, 20 Aug 2012 08:53:09 -0700 (PDT) Date: Mon, 20 Aug 2012 11:53:09 -0400 X-Google-Sender-Auth: 7-HaFaJT85VbC_uFwEo6aE5umac Message-ID: From: J David To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Fighting DDOS attacks with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2012 15:53:11 -0000 Hello, We experience frequent DDOS attacks, and we're having a tough time mitigating them with pf. We have plenty of bandwidth and processing power, we just can't seem to get the rules right. If, for example, I have a single IP address on the outside attacking a range of IPs on the inside, it is very easy to write a max-src-states rule that will count the states for that IP and flush the attacker to a "drop quick" table if they exceed the limit. However, the nature of a DDOS attack is that there is not a single source IP. The source IP is either outright forged or one of a large number of compromised attacking hosts. So what I really want to do is have a "max-dst-states" rule that would at least temporarily blackhole an IP being attacked, but there's no such thing. Currently we have to run a script once per minute that parses "pfctl -s info" looking for large numbers of states to a common destination. But as we have our states set to 1000000, this is really inefficient and of course takes at least a minute to catch up to an attack. Is there a better way to do this? This is on FreeBSD 9.1-PRERELEASE #0 r238540. Thanks for any help!