From owner-freebsd-pf@FreeBSD.ORG Mon Aug 20 16:09:29 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E4E51106564A for ; Mon, 20 Aug 2012 16:09:29 +0000 (UTC) (envelope-from victordetoni@gmail.com) Received: from mail-pb0-f54.google.com (mail-pb0-f54.google.com [209.85.160.54]) by mx1.freebsd.org (Postfix) with ESMTP id A1BBC8FC16 for ; Mon, 20 Aug 2012 16:09:29 +0000 (UTC) Received: by pbbrp2 with SMTP id rp2so7556036pbb.13 for ; Mon, 20 Aug 2012 09:09:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=KDkHUhWoDXANdSRv1c12RO/HRKvShGRUtxHnoen9lA4=; b=ZlXG8LSM1NRcCt4re6BI/JojaodfUp/SXlDqnLulqqgjNRU5Pey9TU+bOl/0iPqixT dMBEn4qAkZyrWl4j1mHT0V1dH4xoFl6FMzX9Zo39nU3yZSf9IxcPOBfh8RIvC1FMb8pI 0A3TtwB9TGgQckGCzaG7qVKz5wpk6Ala+j3tgjp69K1UJk25cQrzi5O/l9pu7YUa+j+S ZbVJ/KY43f88dLAGHIX+tB8dkRf7Ruh8d6PgOqDC4IuKCtBd24HO0JazWnOvUe+paoED mydgajR/FoEv4thvmBuhww5YxY1BO59I5f6FN/Vg8cHfXKxCPK/4PPAvQQzdk+vFPdOq P5pQ== MIME-Version: 1.0 Received: by 10.68.229.73 with SMTP id so9mr36224372pbc.66.1345478968993; Mon, 20 Aug 2012 09:09:28 -0700 (PDT) Received: by 10.66.50.35 with HTTP; Mon, 20 Aug 2012 09:09:28 -0700 (PDT) In-Reply-To: References: Date: Mon, 20 Aug 2012 13:09:28 -0300 Message-ID: From: Victor Detoni To: J David Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: Fighting DDOS attacks with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2012 16:09:30 -0000 David, Have you looked *optimization* at link below? Maybe it helps you. http://www.openbsd.org/faq/pf/options.html On Mon, Aug 20, 2012 at 12:53 PM, J David wrote: > Hello, > > We experience frequent DDOS attacks, and we're having a tough time > mitigating them with pf. We have plenty of bandwidth and processing > power, we just can't seem to get the rules right. > > If, for example, I have a single IP address on the outside attacking a > range of IPs on the inside, it is very easy to write a max-src-states > rule that will count the states for that IP and flush the attacker to > a "drop quick" table if they exceed the limit. > > However, the nature of a DDOS attack is that there is not a single > source IP. The source IP is either outright forged or one of a large > number of compromised attacking hosts. So what I really want to do is > have a "max-dst-states" rule that would at least temporarily blackhole > an IP being attacked, but there's no such thing. > > Currently we have to run a script once per minute that parses "pfctl > -s info" looking for large numbers of states to a common destination. > But as we have our states set to 1000000, this is really inefficient > and of course takes at least a minute to catch up to an attack. > > Is there a better way to do this? > > This is on FreeBSD 9.1-PRERELEASE #0 r238540. > > Thanks for any help! > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >