From owner-freebsd-pf@FreeBSD.ORG Thu May 17 21:21:16 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 110B416A400 for ; Thu, 17 May 2007 21:21:16 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.168]) by mx1.freebsd.org (Postfix) with ESMTP id 8D0CD13C480 for ; Thu, 17 May 2007 21:21:14 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by ug-out-1314.google.com with SMTP id 71so349977ugh for ; Thu, 17 May 2007 14:21:13 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=mu66yA/e/56DE35lHQg7jhRKx7OmJVdiAXcUn33H7GuPYaBVmvfn44tOo4mIw3Np/VNC9yR/xy5xG1RxV5pmbi9rJ26jXJPO1ehxbXxJ+0Bl+dlgCZnq0+OCA1t71eKA8MLNY/8/in2xvCbY0rsxdNUDROgYy4pH1bGCRX1okWU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=DCXixtfi7jtt2P0A3YBXKosdALEWjkZk0MITK74cJCJQskAQ1ZZVLWZk3rHAc7wN++YlEaGUwIMAs4mCe5MbVRQeHuLONEGF1Vt34SdaicjjFgYXfDMQz5MsJ4lNdc6YB/eDbqkgtkq/8dIhCm2SCS9Uec+5TzeDn3FpMtLOws0= Received: by 10.82.187.16 with SMTP id k16mr1521372buf.1179436873340; Thu, 17 May 2007 14:21:13 -0700 (PDT) Received: by 10.82.175.9 with HTTP; Thu, 17 May 2007 14:21:13 -0700 (PDT) Message-ID: Date: Thu, 17 May 2007 14:21:13 -0700 From: "Kian Mohageri" To: "Abdullah Ibn Hamad Al-Marri" In-Reply-To: <499c70c0705171315v3fcfe29fyfc046971c143e9d3@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <499c70c0705171315v3fcfe29fyfc046971c143e9d3@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Best way to decrease DDoS with pf. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 May 2007 21:21:16 -0000 On 5/17/07, Abdullah Ibn Hamad Al-Marri wrote: > Hello, > > This isn't bandwidth issue, but filling the network buffer more than > anything else, so there are no more free sockets, and I can't connect > to the server via ssh, it's not syn as well. > > But mass connect to IRC server with small bw, and the server isn't > lagged at all. > > Rate: 245,919 Packets Per Second > > What is the best way to deal with such DDoS? > > These msgs in in the ircd which I read when I'm opering up. > > *** Notice -- throttled connections from 86.213.48.25 (3 in 1 seconds) > for 2 minutes (offense 1) > *** Notice -- throttled connections from 189.12.134.86 (3 in 5 > seconds) for 2 minutes (offense 1) > *** Notice -- throttled connections from 80.98.165.210 (3 in 2 > seconds) for 5 minutes (offense 2) > *** Notice -- throttled connections from 85.66.74.255 (3 in 3 seconds) > for 2 minutes (offense 1) > *** Notice -- throttled connections from 81.0.97.75 (3 in 9 seconds) > for 2 minutes (offense 1) > *** Notice -- throttled connections from 86.213.48.25 (3 in 1 seconds) > for 2 minutes (offense 1) I don't completely understand your question, but I think you're looking for stateful tracking options including max-src-conn-rate and the overload keyword. http://www.openbsd.org/faq/pf/filter.html#stateopts Kian