Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 21 Aug 2012 10:24:44 +0200
From:      Daniel Hartmeier <daniel@benzedrine.cx>
To:        J David <j.david.lists@gmail.com>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: Fighting DDOS attacks with pf
Message-ID:  <20120821082444.GC31376@insomnia.benzedrine.cx>
In-Reply-To: <CABXB=RQhNbrObkY9x5FepkU8j=Sw%2BNJ92cqgTNw09Rh-yvFJPA@mail.gmail.com>
References:  <CABXB=RQZx1m05gVNh4x3zc7sovGA8ZpzyaZeq_Gd1QHS0n7r1g@mail.gmail.com> <CAFpgnrPdzWWF9gu4zkPvE-6aWt0UX%2BMrZm2=WYsbJo9eQff5DA@mail.gmail.com> <CABXB=RQhNbrObkY9x5FepkU8j=Sw%2BNJ92cqgTNw09Rh-yvFJPA@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Aug 20, 2012 at 12:23:15PM -0400, J David wrote:

> Anything based on the source address is ineffective as the number of
> attack packets from any given IP is very low (frequently 1 if they are
> forged).

Why not use synproxy state?

> The goal for us is to clamp down on attacks directed at a given IP
> quickly and effectively enough that only that IP is affected.

How does it improve the situation for another destination?

The attacker will not immediately stop, the TCP SYNs will continue to
flood in. You're saying your uplink's downstream isn't saturated by
them? If so, what other resource are you trying to protect?

Daniel



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120821082444.GC31376>