Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 9 Feb 2011 19:51:18 +0100
From:      Daniel Hartmeier <daniel@benzedrine.cx>
To:        Vadym Chepkov <vchepkov@gmail.com>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: brutal SSH attacks
Message-ID:  <20110209185118.GA16942@insomnia.benzedrine.cx>
In-Reply-To: <A141DF22-E35C-46BD-B88B-D68800812359@gmail.com>
References:  <D04005BA-E154-4AE3-B14B-F9E6EF1269B0@gmail.com> <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> <A6E48F78-AC10-40DE-9345-86D14CC4D3A1@gmail.com> <98689EFE59404E4B838E79071AABA8B4@charlieroot.de> <56413CA2-EE4F-4E06-B044-0982E864E44D@gmail.com> <A141DF22-E35C-46BD-B88B-D68800812359@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Feb 08, 2011 at 08:07:52PM -0500, Vadym Chepkov wrote:

> No idea, why it didn't stop after 9 attempts.

The connection rate is not calculated precisely, from pf.conf(5)

     max-src-conn-rate <number> / <seconds>
           Limit the rate of new connections over a time interval.  The con-
           nection rate is an approximation calculated as a moving average.

There is a counter, and a last-update-time.

When the first connection matches, the counter starts at zero, and the
time (one second resolution) is noted.

Whenever a subsequent connection matches, the following happens:

  1) if the last-update-time is further back than <seconds> (60, in your
     case), the counter is reset to zero.
  2) otherwise, the counter is reduced relative to how much time has
     passed since last-update-time (i.e. the counter is multiplied by
     (now - last-update-time) / <seconds>
  3) the counter is incremented by 1000

When the counter exceeds 1000 * <number> (9, in your case), the
max-src-conn-rate is triggered.

This works reasonably well in many cases, but may be quite inprecise,
especially when <number> is much smaller than <seconds>.

You could try max-src-conn-rate 2/5 instead.

The details can be found in pf.c, see

  http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/pf.c?rev=HEAD

The reason this was chosen over a more precise algorithm is that this is
very cheap CPU-wise and requires only a minimal amount of memory.

Regards,
Daniel

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110209185118.GA16942>