Date: Thu, 28 Jun 2007 18:56:57 +0800 From: LI Xin <delphij@delphij.net> To: Abdullah Ibn Hamad Al-Marri <almarrie@gmail.com> Cc: FreeBSD PF Pro List <freebsd-pf@freebsd.org> Subject: Re: Flush ICMP and UDP flooders Message-ID: <468393F9.2030805@delphij.net> In-Reply-To: <499c70c0706280328m497a613dg552901c7c9875ed2@mail.gmail.com> References: <499c70c0706280328m497a613dg552901c7c9875ed2@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Abdullah Ibn Hamad Al-Marri wrote: > Hello, > > I would like to block ICMP and UDP flooders who exceed a reasonable number. > > #- Rate Limit UDP (150 per host) > pass proto udp to any port $udp_services keep state > pass in quick proto udp from any to any \ > keep state \ > (max-src-conn 1,max-src-states 151, \ > overload <DDoS> flush global) > > #- Rate Limit ICMP (10 per host) > pass in quick proto icmp from any to any \ > keep state \ > (max-src-conn 1,max-src-states 11, \ > overload <DDoS> flush global) I think ICMP and UDP can have their originating address forged, so this will effectively construct a true remote triggerable DoS... Cheers, -- Xin LI <delphij@delphij.net> http://www.delphij.net/ FreeBSD - The Power to Serve! [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGg5P5OfuToMruuMARCiJzAJ9eHVXjzfwqjVwGCR6q9xmGJ9lzkwCeKC5M NSEgB9DGYWiOtYciIm+Dwsw= =oaBJ -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?468393F9.2030805>