dealing with DoS - practical tips & tools?
dch at skunkwerks.at
Fri Apr 3 15:36:51 UTC 2020
> On 4/3/20, Dave Cottlehuber <dch at skunkwerks.at> wrote:
> > yesterday I saw another mild DoS attack on our network. Typically we get UDP
> > floods and similar generic attacks, and also websocket-specific "layer 7"
> > attacks from random IPs.
On Fri, 3 Apr 2020, at 15:00, David Mehler wrote:
> Where do you get your pf blocklists from?
funnily enough this pretty much nailed the layer7 stuff -- for the moment:
curl -#L \
| jq -reC '.prefixes.ip_prefix, .ipv6_prefixes.ipv6_prefix' \
| sort \
| uniq \
> As for an idea try fail2ban see if that helps.
That might be a bit tricky as not a lot of this is HTTP traffic, and logs are
not local to the box, but yes this is worth a look too. Perhaps I can get
info via pflog and feed this in as well.
I've found zeek as well, suricata, & will see if I can get anything useful
out of graylog which we already have in place.
More information about the freebsd-questions