Date: Mon, 20 Aug 2012 13:09:28 -0300 From: Victor Detoni <victordetoni@gmail.com> To: J David <j.david.lists@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Fighting DDOS attacks with pf Message-ID: <CANpwN=tE=2uv2diEFgCAOr6djbx%2BwKLjWwrNVf4dZnOPnQwZVg@mail.gmail.com> In-Reply-To: <CABXB=RQZx1m05gVNh4x3zc7sovGA8ZpzyaZeq_Gd1QHS0n7r1g@mail.gmail.com> References: <CABXB=RQZx1m05gVNh4x3zc7sovGA8ZpzyaZeq_Gd1QHS0n7r1g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
David, Have you looked *optimization* at link below? Maybe it helps you. http://www.openbsd.org/faq/pf/options.html On Mon, Aug 20, 2012 at 12:53 PM, J David <j.david.lists@gmail.com> wrote: > Hello, > > We experience frequent DDOS attacks, and we're having a tough time > mitigating them with pf. We have plenty of bandwidth and processing > power, we just can't seem to get the rules right. > > If, for example, I have a single IP address on the outside attacking a > range of IPs on the inside, it is very easy to write a max-src-states > rule that will count the states for that IP and flush the attacker to > a "drop quick" table if they exceed the limit. > > However, the nature of a DDOS attack is that there is not a single > source IP. The source IP is either outright forged or one of a large > number of compromised attacking hosts. So what I really want to do is > have a "max-dst-states" rule that would at least temporarily blackhole > an IP being attacked, but there's no such thing. > > Currently we have to run a script once per minute that parses "pfctl > -s info" looking for large numbers of states to a common destination. > But as we have our states set to 1000000, this is really inefficient > and of course takes at least a minute to catch up to an attack. > > Is there a better way to do this? > > This is on FreeBSD 9.1-PRERELEASE #0 r238540. > > Thanks for any help! > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANpwN=tE=2uv2diEFgCAOr6djbx%2BwKLjWwrNVf4dZnOPnQwZVg>