From owner-freebsd-pf@FreeBSD.ORG Mon Aug 20 16:23:16 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8B5EB1065670 for ; Mon, 20 Aug 2012 16:23:16 +0000 (UTC) (envelope-from jdavidlists@gmail.com) Received: from mail-vc0-f182.google.com (mail-vc0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id 3FC838FC15 for ; Mon, 20 Aug 2012 16:23:16 +0000 (UTC) Received: by vcbgb22 with SMTP id gb22so6645565vcb.13 for ; Mon, 20 Aug 2012 09:23:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=HGweACcslspYqq2bBQkyt6VEHyFgeqFvjlkhQ3pmzRk=; b=kn5lrJFQHAXALW01iAyqVlD2N8taR/yxAIAvSaKbXVsDuQrPa5u2sy04T7xl0YUXNn r0/W3ndXsOO8jXEs+TDmzaC8M2kA6rDG9mINnrUpjF0C2PQt2O9ouTOR3IeWVILlVd45 Uil/xp64QQyo0TymVkyYIqdbFEAdK//Y6SqmcouMjUbTlbpRlhQLVhrEOUVX9OYiicNK qF2PfbmP9islFF5tMw8qKdX0yn9vCyAuxxBrbMBJVv32RAVT2V/vCRSYAvpjse+8me18 mVA78mxXHKyezhv3w33MHCzsJfzQN/2QDZlKcSthFpjfsoi2gRLPpYKM38PzoFEE5vt6 baEA== MIME-Version: 1.0 Received: by 10.52.93.170 with SMTP id cv10mr2880939vdb.78.1345479795656; Mon, 20 Aug 2012 09:23:15 -0700 (PDT) Sender: jdavidlists@gmail.com Received: by 10.59.7.163 with HTTP; Mon, 20 Aug 2012 09:23:15 -0700 (PDT) In-Reply-To: References: Date: Mon, 20 Aug 2012 12:23:15 -0400 X-Google-Sender-Auth: LvapTu0XQj1b_rx3Zp_ZvF78yl4 Message-ID: From: J David To: Kevin Wilcox Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-pf@freebsd.org Subject: Re: Fighting DDOS attacks with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2012 16:23:16 -0000 On Mon, Aug 20, 2012 at 12:07 PM, Kevin Wilcox wrote: > Rather than block on the number of states, take a look at dropping > based on the number of connections over some time delta. > > Specifically, max-src-conn and max-src-conn-rate. Anything based on the source address is ineffective as the number of attack packets from any given IP is very low (frequently 1 if they are forged). The goal for us is to clamp down on attacks directed at a given IP quickly and effectively enough that only that IP is affected. Thanks.