Flush ICMP and UDP flooders
Abdullah Ibn Hamad Al-Marri
almarrie at gmail.com
Thu Jun 28 11:00:45 UTC 2007
On 6/28/07, LI Xin <delphij at delphij.net> wrote:
> Abdullah Ibn Hamad Al-Marri wrote:
> > Hello,
> >
> > I would like to block ICMP and UDP flooders who exceed a reasonable number.
> >
> > #- Rate Limit UDP (150 per host)
> > pass proto udp to any port $udp_services keep state
> > pass in quick proto udp from any to any \
> > keep state \
> > (max-src-conn 1,max-src-states 151, \
> > overload <DDoS> flush global)
> >
> > #- Rate Limit ICMP (10 per host)
> > pass in quick proto icmp from any to any \
> > keep state \
> > (max-src-conn 1,max-src-states 11, \
> > overload <DDoS> flush global)
>
> I think ICMP and UDP can have their originating address forged, so this
> will effectively construct a true remote triggerable DoS...
>
> Cheers,
> --
> Xin LI <delphij at delphij.net> http://www.delphij.net/
> FreeBSD - The Power to Serve!
Thank you Li,
I set antispoof in my pf.conf for the nic, would these rule help or
not? do you have suggestions about the values? I run bind on the
servers.
--
Regards,
-Abdullah Ibn Hamad Al-Marri
Arab Portal
http://www.WeArab.Net/
More information about the freebsd-pf
mailing list