Date: Tue, 21 Aug 2012 10:24:44 +0200 From: Daniel Hartmeier <daniel@benzedrine.cx> To: J David <j.david.lists@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Fighting DDOS attacks with pf Message-ID: <20120821082444.GC31376@insomnia.benzedrine.cx> In-Reply-To: <CABXB=RQhNbrObkY9x5FepkU8j=Sw%2BNJ92cqgTNw09Rh-yvFJPA@mail.gmail.com> References: <CABXB=RQZx1m05gVNh4x3zc7sovGA8ZpzyaZeq_Gd1QHS0n7r1g@mail.gmail.com> <CAFpgnrPdzWWF9gu4zkPvE-6aWt0UX%2BMrZm2=WYsbJo9eQff5DA@mail.gmail.com> <CABXB=RQhNbrObkY9x5FepkU8j=Sw%2BNJ92cqgTNw09Rh-yvFJPA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Aug 20, 2012 at 12:23:15PM -0400, J David wrote: > Anything based on the source address is ineffective as the number of > attack packets from any given IP is very low (frequently 1 if they are > forged). Why not use synproxy state? > The goal for us is to clamp down on attacks directed at a given IP > quickly and effectively enough that only that IP is affected. How does it improve the situation for another destination? The attacker will not immediately stop, the TCP SYNs will continue to flood in. You're saying your uplink's downstream isn't saturated by them? If so, what other resource are you trying to protect? Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120821082444.GC31376>