Blacklisting DOS IPs

[Mauricio López]

I'm currently using a pfSense box as a gateway and I was recently victim
of a DNS DOS attack. That made me think how I could blacklist those IPs
automatically. I looked through the pf documentation and the thing that
seemed more like it was the max-src-conn-rate option, but then I
realized that it's useless with UDP when some hosts send you vast
amounts of packets.

I'm thinking about making an script using awk and pftop output to watch
for states that have more than 1Mb of traffic (regular DNS queries
aren't that big) and put those hosts in a table for blocking. My
question is if it is there some other more efficient solution for this
problem.

Thanks in advance

-- 
Saludos de
Mauricio López-Quintana Conesa
Administrador de Redes
Dirección de Patrimonio
Oficina del Historiador