From owner-freebsd-pf@FreeBSD.ORG  Mon Aug 20 16:23:16 2012
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 8B5EB1065670
	for <freebsd-pf@freebsd.org>; Mon, 20 Aug 2012 16:23:16 +0000 (UTC)
	(envelope-from jdavidlists@gmail.com)
Received: from mail-vc0-f182.google.com (mail-vc0-f182.google.com
	[209.85.220.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 3FC838FC15
	for <freebsd-pf@freebsd.org>; Mon, 20 Aug 2012 16:23:16 +0000 (UTC)
Received: by vcbgb22 with SMTP id gb22so6645565vcb.13
	for <freebsd-pf@freebsd.org>; Mon, 20 Aug 2012 09:23:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:sender:in-reply-to:references:date
	:x-google-sender-auth:message-id:subject:from:to:cc:content-type;
	bh=HGweACcslspYqq2bBQkyt6VEHyFgeqFvjlkhQ3pmzRk=;
	b=kn5lrJFQHAXALW01iAyqVlD2N8taR/yxAIAvSaKbXVsDuQrPa5u2sy04T7xl0YUXNn
	r0/W3ndXsOO8jXEs+TDmzaC8M2kA6rDG9mINnrUpjF0C2PQt2O9ouTOR3IeWVILlVd45
	Uil/xp64QQyo0TymVkyYIqdbFEAdK//Y6SqmcouMjUbTlbpRlhQLVhrEOUVX9OYiicNK
	qF2PfbmP9islFF5tMw8qKdX0yn9vCyAuxxBrbMBJVv32RAVT2V/vCRSYAvpjse+8me18
	mVA78mxXHKyezhv3w33MHCzsJfzQN/2QDZlKcSthFpjfsoi2gRLPpYKM38PzoFEE5vt6
	baEA==
MIME-Version: 1.0
Received: by 10.52.93.170 with SMTP id cv10mr2880939vdb.78.1345479795656; Mon,
	20 Aug 2012 09:23:15 -0700 (PDT)
Sender: jdavidlists@gmail.com
Received: by 10.59.7.163 with HTTP; Mon, 20 Aug 2012 09:23:15 -0700 (PDT)
In-Reply-To: <CAFpgnrPdzWWF9gu4zkPvE-6aWt0UX+MrZm2=WYsbJo9eQff5DA@mail.gmail.com>
References: <CABXB=RQZx1m05gVNh4x3zc7sovGA8ZpzyaZeq_Gd1QHS0n7r1g@mail.gmail.com>
	<CAFpgnrPdzWWF9gu4zkPvE-6aWt0UX+MrZm2=WYsbJo9eQff5DA@mail.gmail.com>
Date: Mon, 20 Aug 2012 12:23:15 -0400
X-Google-Sender-Auth: LvapTu0XQj1b_rx3Zp_ZvF78yl4
Message-ID: <CABXB=RQhNbrObkY9x5FepkU8j=Sw+NJ92cqgTNw09Rh-yvFJPA@mail.gmail.com>
From: J David <j.david.lists@gmail.com>
To: Kevin Wilcox <kevin.wilcox@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Cc: freebsd-pf@freebsd.org
Subject: Re: Fighting DDOS attacks with pf
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Aug 2012 16:23:16 -0000

On Mon, Aug 20, 2012 at 12:07 PM, Kevin Wilcox <kevin.wilcox@gmail.com> wrote:
> Rather than block on the number of states, take a look at dropping
> based on the number of connections over some time delta.
>
> Specifically, max-src-conn and max-src-conn-rate.

Anything based on the source address is ineffective as the number of
attack packets from any given IP is very low (frequently 1 if they are
forged).

The goal for us is to clamp down on attacks directed at a given IP
quickly and effectively enough that only that IP is affected.

Thanks.