promt solution with max-src-conn-rate
Travis H.
solinym at gmail.com
Tue May 16 05:01:12 UTC 2006
> You have to be aware that this otoh might open you to DoS attacks. People
> spoofing connections from your address will lock you out from your own
> server.
It requires spoofing a full TCP connect, which is more difficult than
most DoS types are willing to do. Even harder if you're doing
"reassemble tcp" to protect the weak hosts's SYN packets.
I've never heard a report of this kind of DoS in practice.
--
"Curiousity killed the cat, but for a while I was a suspect" -- Steven Wright
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
More information about the freebsd-pf
mailing list