From owner-freebsd-pf@FreeBSD.ORG Thu May 17 20:15:29 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AE6AE16A400 for ; Thu, 17 May 2007 20:15:29 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.250]) by mx1.freebsd.org (Postfix) with ESMTP id 7001113C447 for ; Thu, 17 May 2007 20:15:29 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: by an-out-0708.google.com with SMTP id d23so162657and for ; Thu, 17 May 2007 13:15:28 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=Ay2Jqs0u03sEIZW+syfn47pJ84PiajSJYPDTOLIfYXjzShyuSnEBig83N3SrarG2nTpkjAQ32G0S1ZXalqpFaLDKvMhbJCCl8CvdFqZ39Pqxx2YgZMsIYXEkzsiD9PUOlbAxvhRNb7nqsSe91zPIoH1HYilH3+WBAik/3riKwh0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=ImcJ5OHH0msyi6Qkulo3iwjRKUmGbg9JdUpXO7lJ8A1qzDrWwaVJWv+krhvdonlyy00XhTl5L3noWBGr28rxwEN2ML5n8KagD9avvZVCK9E7sDaRS1Iefqd0gK7rbklgtu1SaTPHInCVXLlvMKe+P0CcyLNVbGTnYR06rhFGqjU= Received: by 10.100.93.5 with SMTP id q5mr582742anb.1179432928048; Thu, 17 May 2007 13:15:28 -0700 (PDT) Received: by 10.100.9.14 with HTTP; Thu, 17 May 2007 13:15:27 -0700 (PDT) Message-ID: <499c70c0705171315v3fcfe29fyfc046971c143e9d3@mail.gmail.com> Date: Thu, 17 May 2007 23:15:27 +0300 From: "Abdullah Ibn Hamad Al-Marri" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Best way to decrease DDoS with pf. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 May 2007 20:15:29 -0000 Hello, This isn't bandwidth issue, but filling the network buffer more than anything else, so there are no more free sockets, and I can't connect to the server via ssh, it's not syn as well. But mass connect to IRC server with small bw, and the server isn't lagged at all. Rate: 245,919 Packets Per Second What is the best way to deal with such DDoS? These msgs in in the ircd which I read when I'm opering up. *** Notice -- throttled connections from 86.213.48.25 (3 in 1 seconds) for 2 minutes (offense 1) *** Notice -- throttled connections from 189.12.134.86 (3 in 5 seconds) for 2 minutes (offense 1) *** Notice -- throttled connections from 80.98.165.210 (3 in 2 seconds) for 5 minutes (offense 2) *** Notice -- throttled connections from 85.66.74.255 (3 in 3 seconds) for 2 minutes (offense 1) *** Notice -- throttled connections from 81.0.97.75 (3 in 9 seconds) for 2 minutes (offense 1) *** Notice -- throttled connections from 86.213.48.25 (3 in 1 seconds) for 2 minutes (offense 1) -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/