Date: Mon, 20 Aug 2012 12:23:15 -0400 From: J David <j.david.lists@gmail.com> To: Kevin Wilcox <kevin.wilcox@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Fighting DDOS attacks with pf Message-ID: <CABXB=RQhNbrObkY9x5FepkU8j=Sw%2BNJ92cqgTNw09Rh-yvFJPA@mail.gmail.com> In-Reply-To: <CAFpgnrPdzWWF9gu4zkPvE-6aWt0UX%2BMrZm2=WYsbJo9eQff5DA@mail.gmail.com> References: <CABXB=RQZx1m05gVNh4x3zc7sovGA8ZpzyaZeq_Gd1QHS0n7r1g@mail.gmail.com> <CAFpgnrPdzWWF9gu4zkPvE-6aWt0UX%2BMrZm2=WYsbJo9eQff5DA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Aug 20, 2012 at 12:07 PM, Kevin Wilcox <kevin.wilcox@gmail.com> wrote: > Rather than block on the number of states, take a look at dropping > based on the number of connections over some time delta. > > Specifically, max-src-conn and max-src-conn-rate. Anything based on the source address is ineffective as the number of attack packets from any given IP is very low (frequently 1 if they are forged). The goal for us is to clamp down on attacks directed at a given IP quickly and effectively enough that only that IP is affected. Thanks.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CABXB=RQhNbrObkY9x5FepkU8j=Sw%2BNJ92cqgTNw09Rh-yvFJPA>