> This isn't bandwidth issue, but filling the network buffer more than > anything else, so there are no more free sockets, and I can't connect > to the server via ssh, it's not syn as well. > > But mass connect to IRC server with small bw, and the server isn't > lagged at all. > > Rate: 245,919 Packets Per Second > > What is the best way to deal with such DDoS?
Abdullah, I'm not quite sure if I get you right. if tcp traffic arrives without a SYN set, you can easily block that by using 'pass ... flags S/SA' so the traffic never reaches your daemon. Also for tcp traffic you may want to try 'synproxy state'. The last thing you can do is to use altq, feed the traffic into a low bandwidth queue and still be able to serve other traffic. As you can't control the downstream usage that way, you're at least able to limit the response and slow down traffic that way a bit. I'm doing this for SMTP traffic and it works great (I'm slowing down all SMTP traffic from windows boxes to my home server to a maximum of 6 kBit/s - non windows boxes are getting 40 kBit/s for SMTP connections, a bit too rude, I know but it works). Keep in mind, if you're under a DDoS attack, your bandwidth may still be eaten up, but the effects on your machine will be limited when using S/SA + synproxy state + bandwidth limiting. If I get you wrong, please explain your problem a bit more detailed. HTH Volker _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
