Date: Mon, 20 Aug 2012 11:53:09 -0400 From: J David <j.david.lists@gmail.com> To: freebsd-pf@freebsd.org Subject: Fighting DDOS attacks with pf Message-ID: <CABXB=RQZx1m05gVNh4x3zc7sovGA8ZpzyaZeq_Gd1QHS0n7r1g@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello, We experience frequent DDOS attacks, and we're having a tough time mitigating them with pf. We have plenty of bandwidth and processing power, we just can't seem to get the rules right. If, for example, I have a single IP address on the outside attacking a range of IPs on the inside, it is very easy to write a max-src-states rule that will count the states for that IP and flush the attacker to a "drop quick" table if they exceed the limit. However, the nature of a DDOS attack is that there is not a single source IP. The source IP is either outright forged or one of a large number of compromised attacking hosts. So what I really want to do is have a "max-dst-states" rule that would at least temporarily blackhole an IP being attacked, but there's no such thing. Currently we have to run a script once per minute that parses "pfctl -s info" looking for large numbers of states to a common destination. But as we have our states set to 1000000, this is really inefficient and of course takes at least a minute to catch up to an attack. Is there a better way to do this? This is on FreeBSD 9.1-PRERELEASE #0 r238540. Thanks for any help!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CABXB=RQZx1m05gVNh4x3zc7sovGA8ZpzyaZeq_Gd1QHS0n7r1g>