Hello, We experience frequent DDOS attacks, and we're having a tough time mitigating them with pf. We have plenty of bandwidth and processing power, we just can't seem to get the rules right.
If, for example, I have a single IP address on the outside attacking a range of IPs on the inside, it is very easy to write a max-src-states rule that will count the states for that IP and flush the attacker to a "drop quick" table if they exceed the limit. However, the nature of a DDOS attack is that there is not a single source IP. The source IP is either outright forged or one of a large number of compromised attacking hosts. So what I really want to do is have a "max-dst-states" rule that would at least temporarily blackhole an IP being attacked, but there's no such thing. Currently we have to run a script once per minute that parses "pfctl -s info" looking for large numbers of states to a common destination. But as we have our states set to 1000000, this is really inefficient and of course takes at least a minute to catch up to an attack. Is there a better way to do this? This is on FreeBSD 9.1-PRERELEASE #0 r238540. Thanks for any help! _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
