Fighting DDOS attacks with pf

Jason Hellenthal jhellenthal at dataix.net
Mon Aug 20 16:27:57 UTC 2012 

All of the methods listed in more recent messages are just fine of
methods to *somewhat* handle the DDoS on the hosts being attacked.

- *But* -

The only way you are going to take care of this is going to you're
provider at the next level and asking them for assistance. Most of the
addresses you will be seeing are probably spoofed or part of some
amplification attack at which you will end up blocking out legitimate
customers anyhow.

So level up and go to your're Tier 2, Tier 1's.


On Mon, Aug 20, 2012 at 11:53:09AM -0400, J David wrote:
> Hello,
> 
> We experience frequent DDOS attacks, and we're having a tough time
> mitigating them with pf.  We have plenty of bandwidth and processing
> power, we just can't seem to get the rules right.
> 
> If, for example, I have a single IP address on the outside attacking a
> range of IPs on the inside, it is very easy to write a max-src-states
> rule that will count the states for that IP and flush the attacker to
> a "drop quick" table if they exceed the limit.
> 
> However, the nature of a DDOS attack is that there is not a single
> source IP.  The source IP is either outright forged or one of a large
> number of compromised attacking hosts.  So what I really want to do is
> have a "max-dst-states" rule that would at least temporarily blackhole
> an IP being attacked, but there's no such thing.
> 
> Currently we have to run a script once per minute that parses "pfctl
> -s info" looking for large numbers of states to a common destination.
> But as we have our states set to 1000000, this is really inefficient
> and of course takes at least a minute to catch up to an attack.
> 
> Is there a better way to do this?
> 
> This is on FreeBSD 9.1-PRERELEASE #0 r238540.
> 
> Thanks for any help!
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

-- 

 - (2^(N-1)) JJH48-ARIN

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20120820/da52db03/attachment.pgp

More information about the freebsd-pf mailing list