Best way to decrease DDoS with pf.
Kian Mohageri
kian.mohageri at gmail.com
Thu May 17 21:21:16 UTC 2007
On 5/17/07, Abdullah Ibn Hamad Al-Marri <almarrie at gmail.com> wrote:
> Hello,
>
> This isn't bandwidth issue, but filling the network buffer more than
> anything else, so there are no more free sockets, and I can't connect
> to the server via ssh, it's not syn as well.
>
> But mass connect to IRC server with small bw, and the server isn't
> lagged at all.
>
> Rate: 245,919 Packets Per Second
>
> What is the best way to deal with such DDoS?
>
> These msgs in in the ircd which I read when I'm opering up.
>
> *** Notice -- throttled connections from 86.213.48.25 (3 in 1 seconds)
> for 2 minutes (offense 1)
> *** Notice -- throttled connections from 189.12.134.86 (3 in 5
> seconds) for 2 minutes (offense 1)
> *** Notice -- throttled connections from 80.98.165.210 (3 in 2
> seconds) for 5 minutes (offense 2)
> *** Notice -- throttled connections from 85.66.74.255 (3 in 3 seconds)
> for 2 minutes (offense 1)
> *** Notice -- throttled connections from 81.0.97.75 (3 in 9 seconds)
> for 2 minutes (offense 1)
> *** Notice -- throttled connections from 86.213.48.25 (3 in 1 seconds)
> for 2 minutes (offense 1)
I don't completely understand your question, but I think you're
looking for stateful tracking options including max-src-conn-rate and
the overload keyword.
http://www.openbsd.org/faq/pf/filter.html#stateopts
Kian
More information about the freebsd-pf
mailing list