dealing with DoS - practical tips & tools?

Dave Cottlehuber dch at
Fri Apr 3 15:36:51 UTC 2020

> On 4/3/20, Dave Cottlehuber <dch at> wrote:
> > yesterday I saw another mild DoS attack on our network. Typically we get UDP
> > floods and similar generic attacks, and also websocket-specific "layer 7"
> > attacks from random IPs.
On Fri, 3 Apr 2020, at 15:00, David Mehler wrote:
> Hello,
> Where do you get your pf blocklists from?

Hi David,

funnily enough this pretty much nailed the layer7 stuff -- for the moment:

curl -#L \ \
  | jq -reC '.prefixes[].ip_prefix, .ipv6_prefixes[].ipv6_prefix' \
  | sort \
  | uniq \
  > /etc/

> As for an idea try fail2ban see if that helps.

That might be a bit tricky as not a lot of this is HTTP traffic, and logs are
not local to the box, but yes this is worth a look too. Perhaps I can get
info via pflog and feed this in as well.

I've found zeek as well, suricata, & will see if I can get anything useful
out of graylog which we already have in place.


More information about the freebsd-questions mailing list