Date: Mon, 20 Aug 2012 12:07:36 -0400 From: Kevin Wilcox <kevin.wilcox@gmail.com> To: J David <j.david.lists@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Fighting DDOS attacks with pf Message-ID: <CAFpgnrPdzWWF9gu4zkPvE-6aWt0UX%2BMrZm2=WYsbJo9eQff5DA@mail.gmail.com> In-Reply-To: <CABXB=RQZx1m05gVNh4x3zc7sovGA8ZpzyaZeq_Gd1QHS0n7r1g@mail.gmail.com> References: <CABXB=RQZx1m05gVNh4x3zc7sovGA8ZpzyaZeq_Gd1QHS0n7r1g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Aug 20, 2012 at 11:53 AM, J David <j.david.lists@gmail.com> wrote: > However, the nature of a DDOS attack is that there is not a single > source IP. The source IP is either outright forged or one of a large > number of compromised attacking hosts. So what I really want to do is > have a "max-dst-states" rule that would at least temporarily blackhole > an IP being attacked, but there's no such thing. Rather than block on the number of states, take a look at dropping based on the number of connections over some time delta. Specifically, max-src-conn and max-src-conn-rate. kmw
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFpgnrPdzWWF9gu4zkPvE-6aWt0UX%2BMrZm2=WYsbJo9eQff5DA>