Fighting DDOS attacks with pf
Victor Detoni
victordetoni at gmail.com
Mon Aug 20 16:09:30 UTC 2012
David,
Have you looked *optimization* at link below? Maybe it helps you.
http://www.openbsd.org/faq/pf/options.html
On Mon, Aug 20, 2012 at 12:53 PM, J David <j.david.lists at gmail.com> wrote:
> Hello,
>
> We experience frequent DDOS attacks, and we're having a tough time
> mitigating them with pf. We have plenty of bandwidth and processing
> power, we just can't seem to get the rules right.
>
> If, for example, I have a single IP address on the outside attacking a
> range of IPs on the inside, it is very easy to write a max-src-states
> rule that will count the states for that IP and flush the attacker to
> a "drop quick" table if they exceed the limit.
>
> However, the nature of a DDOS attack is that there is not a single
> source IP. The source IP is either outright forged or one of a large
> number of compromised attacking hosts. So what I really want to do is
> have a "max-dst-states" rule that would at least temporarily blackhole
> an IP being attacked, but there's no such thing.
>
> Currently we have to run a script once per minute that parses "pfctl
> -s info" looking for large numbers of states to a common destination.
> But as we have our states set to 1000000, this is really inefficient
> and of course takes at least a minute to catch up to an attack.
>
> Is there a better way to do this?
>
> This is on FreeBSD 9.1-PRERELEASE #0 r238540.
>
> Thanks for any help!
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
More information about the freebsd-pf
mailing list