Date: Thu, 17 May 2007 14:21:13 -0700 From: "Kian Mohageri" <kian.mohageri@gmail.com> To: "Abdullah Ibn Hamad Al-Marri" <almarrie@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Best way to decrease DDoS with pf. Message-ID: <fee88ee40705171421u6815946co5907bfff8d0e3f8f@mail.gmail.com> In-Reply-To: <499c70c0705171315v3fcfe29fyfc046971c143e9d3@mail.gmail.com> References: <499c70c0705171315v3fcfe29fyfc046971c143e9d3@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/17/07, Abdullah Ibn Hamad Al-Marri <almarrie@gmail.com> wrote: > Hello, > > This isn't bandwidth issue, but filling the network buffer more than > anything else, so there are no more free sockets, and I can't connect > to the server via ssh, it's not syn as well. > > But mass connect to IRC server with small bw, and the server isn't > lagged at all. > > Rate: 245,919 Packets Per Second > > What is the best way to deal with such DDoS? > > These msgs in in the ircd which I read when I'm opering up. > > *** Notice -- throttled connections from 86.213.48.25 (3 in 1 seconds) > for 2 minutes (offense 1) > *** Notice -- throttled connections from 189.12.134.86 (3 in 5 > seconds) for 2 minutes (offense 1) > *** Notice -- throttled connections from 80.98.165.210 (3 in 2 > seconds) for 5 minutes (offense 2) > *** Notice -- throttled connections from 85.66.74.255 (3 in 3 seconds) > for 2 minutes (offense 1) > *** Notice -- throttled connections from 81.0.97.75 (3 in 9 seconds) > for 2 minutes (offense 1) > *** Notice -- throttled connections from 86.213.48.25 (3 in 1 seconds) > for 2 minutes (offense 1) I don't completely understand your question, but I think you're looking for stateful tracking options including max-src-conn-rate and the overload keyword. http://www.openbsd.org/faq/pf/filter.html#stateopts Kian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fee88ee40705171421u6815946co5907bfff8d0e3f8f>