Date: Fri, 03 Apr 2020 15:36:08 +0000 From: "Dave Cottlehuber" <dch@skunkwerks.at> To: "David Mehler" <dave.mehler@gmail.com>, freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: dealing with DoS - practical tips & tools? Message-ID: <495fcc41-5ff0-4ebe-8157-1f079675a9c5@www.fastmail.com> In-Reply-To: <CAPORhP45qLHf0WiEGHEpXAeBcki=-5xXXB1ij0LCLs2N0S_MBg@mail.gmail.com> References: <bb5105b4-78ab-4e6c-b4f6-70db867d690c@www.fastmail.com> <CAPORhP45qLHf0WiEGHEpXAeBcki=-5xXXB1ij0LCLs2N0S_MBg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 4/3/20, Dave Cottlehuber <dch@skunkwerks.at> wrote: > > yesterday I saw another mild DoS attack on our network. Typically we get UDP > > floods and similar generic attacks, and also websocket-specific "layer 7" > > attacks from random IPs. > On Fri, 3 Apr 2020, at 15:00, David Mehler wrote: > Hello, > > Where do you get your pf blocklists from? Hi David, funnily enough this pretty much nailed the layer7 stuff -- for the moment: curl -#L \ https://ip-ranges.amazonaws.com/ip-ranges.json \ | jq -reC '.prefixes[].ip_prefix, .ipv6_prefixes[].ipv6_prefix' \ | sort \ | uniq \ > /etc/pf.amazon > As for an idea try fail2ban see if that helps. That might be a bit tricky as not a lot of this is HTTP traffic, and logs are not local to the box, but yes this is worth a look too. Perhaps I can get info via pflog and feed this in as well. I've found zeek as well, suricata, & will see if I can get anything useful out of graylog which we already have in place. A+ Dave
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?495fcc41-5ff0-4ebe-8157-1f079675a9c5>