dealing with DoS - practical tips & tools?

David Mehler dave.mehler at
Fri Apr 3 15:00:50 UTC 2020


Where do you get your pf blocklists from?

As for an idea try fail2ban see if that helps.


On 4/3/20, Dave Cottlehuber <dch at> wrote:
> yesterday I saw another mild DoS attack on our network. Typically we get UDP
> floods and similar generic attacks, and also websocket-specific "layer 7"
> attacks from random IPs.
> Typically a few applications go offline when sockets are exhausted, or when
> their rate limiting kicks in hard.
> Currently my setup is naive:
> - pf with manual blocklists as required
> - haproxy for layer7 blocklists
> - off-server logs indexed in graylog
> Which is pretty limited in both understanding what's happening *right now*,
> and also doing anything other than manual reaction to issues, *after* they
> impact users.
> Before we go full cloudflare or whatever, where DDoS protection which costs
> an arm and a leg, what do people recommend as the next open-source steps?
> I'd like a couple of features - better real-time visibility, and some some
> automation.
> perhaps:
> - last few hours of tcpdump level traffic, searchable in some form,
> off-server
> - something partially automated that can update pf & haproxy tables when
> Obviously Bad Things happen
> Are there any FreeBSD tools that people could recommend? Any tunables that
> help with resilience?
> A+
> Dave
> _______________________________________________
> freebsd-questions at mailing list
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at"

More information about the freebsd-questions mailing list