From owner-freebsd-pf@FreeBSD.ORG  Mon Aug 20 16:07:36 2012
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A98B11065672
	for <freebsd-pf@freebsd.org>; Mon, 20 Aug 2012 16:07:36 +0000 (UTC)
	(envelope-from kevin.wilcox@gmail.com)
Received: from mail-pb0-f54.google.com (mail-pb0-f54.google.com
	[209.85.160.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 7E7888FC12
	for <freebsd-pf@freebsd.org>; Mon, 20 Aug 2012 16:07:36 +0000 (UTC)
Received: by mail-pb0-f54.google.com with SMTP id rp2so7553168pbb.13
	for <freebsd-pf@freebsd.org>; Mon, 20 Aug 2012 09:07:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type;
	bh=ONiMTe2ovD61culNnLYyny5z0f7nio0qDR4y/d9/8k8=;
	b=e9dumVQ7nHsmjEHEWWN9gdLm6/DeSkM3E0FaXaUGTHlpO16XqThYjIu9GwjMy5Kjdh
	mz2AHku0H1AFqf+AIVUQqkWLh6ZBjZ+2369+hh4wBu1Im+gZomP2quIn4tmdhDnMyVcP
	jPhtE/ydnHnM0xOm7BBS3D9jKJGgIt1KVSNPMbV+yuONZv6Gppt2bwe67+Yui46R67Ob
	U+keRV/oa7EkjF41rwH8sLR0yjXs9qMi7AyuczoYjlKR/UIjoB7DRt85CPXdh5N3yUMY
	0b4T7JIxi8vLaxTg7ko+Pu0YSKC9lLywK7Ue2LGtsyVm5BBFXwQymQAOg67ca6TDhWKH
	++6g==
MIME-Version: 1.0
Received: by 10.66.75.225 with SMTP id f1mr30644240paw.35.1345478856382; Mon,
	20 Aug 2012 09:07:36 -0700 (PDT)
Received: by 10.68.6.232 with HTTP; Mon, 20 Aug 2012 09:07:36 -0700 (PDT)
In-Reply-To: <CABXB=RQZx1m05gVNh4x3zc7sovGA8ZpzyaZeq_Gd1QHS0n7r1g@mail.gmail.com>
References: <CABXB=RQZx1m05gVNh4x3zc7sovGA8ZpzyaZeq_Gd1QHS0n7r1g@mail.gmail.com>
Date: Mon, 20 Aug 2012 12:07:36 -0400
Message-ID: <CAFpgnrPdzWWF9gu4zkPvE-6aWt0UX+MrZm2=WYsbJo9eQff5DA@mail.gmail.com>
From: Kevin Wilcox <kevin.wilcox@gmail.com>
To: J David <j.david.lists@gmail.com>
Content-Type: text/plain; charset=UTF-8
Cc: freebsd-pf@freebsd.org
Subject: Re: Fighting DDOS attacks with pf
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Aug 2012 16:07:36 -0000

On Mon, Aug 20, 2012 at 11:53 AM, J David <j.david.lists@gmail.com> wrote:

> However, the nature of a DDOS attack is that there is not a single
> source IP.  The source IP is either outright forged or one of a large
> number of compromised attacking hosts.  So what I really want to do is
> have a "max-dst-states" rule that would at least temporarily blackhole
> an IP being attacked, but there's no such thing.

Rather than block on the number of states, take a look at dropping
based on the number of connections over some time delta.

Specifically, max-src-conn and max-src-conn-rate.

kmw