David, Have you looked *optimization* at link below? Maybe it helps you.
http://www.openbsd.org/faq/pf/options.html On Mon, Aug 20, 2012 at 12:53 PM, J David <j.david.li...@gmail.com> wrote: > Hello, > > We experience frequent DDOS attacks, and we're having a tough time > mitigating them with pf. We have plenty of bandwidth and processing > power, we just can't seem to get the rules right. > > If, for example, I have a single IP address on the outside attacking a > range of IPs on the inside, it is very easy to write a max-src-states > rule that will count the states for that IP and flush the attacker to > a "drop quick" table if they exceed the limit. > > However, the nature of a DDOS attack is that there is not a single > source IP. The source IP is either outright forged or one of a large > number of compromised attacking hosts. So what I really want to do is > have a "max-dst-states" rule that would at least temporarily blackhole > an IP being attacked, but there's no such thing. > > Currently we have to run a script once per minute that parses "pfctl > -s info" looking for large numbers of states to a common destination. > But as we have our states set to 1000000, this is really inefficient > and of course takes at least a minute to catch up to an attack. > > Is there a better way to do this? > > This is on FreeBSD 9.1-PRERELEASE #0 r238540. > > Thanks for any help! > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org" > _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"