On Mon, Aug 20, 2012 at 11:53 AM, J David <j.david.li...@gmail.com> wrote:
> However, the nature of a DDOS attack is that there is not a single > source IP. The source IP is either outright forged or one of a large > number of compromised attacking hosts. So what I really want to do is > have a "max-dst-states" rule that would at least temporarily blackhole > an IP being attacked, but there's no such thing. Rather than block on the number of states, take a look at dropping based on the number of connections over some time delta. Specifically, max-src-conn and max-src-conn-rate. kmw _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
