Hello all, I know this is really stupid, but I'm trying to mitigate the effects of one hacked server on our (very large) network that is being used to DoS other computers on the Internet.
I do not have access to the server and I cannot take it down (due to different reasons), so instead I'm trying to prevent it from attacking other servers using pf. First it was UDP-flooding some hosts, so I simply blocked it from doing that to anything outside our network with: block out quick on vlan100 proto udp from $HackedServer to ! <ournetwork> Now it's SYN-flooding other servers on port 80, however I cannot simply block outgoing TCP/80, as that will disrupt the service on the machine. So I'm trying something like this: # targets being attacked table <floodtargets> persist # block rule block out quick log on vlan100 from $HackedServer to <floodtargets> # overload rule pass out quick log on vlan100 inet proto tcp from $HackedServer to any keep state (max-src-conn 100, max-src-conn-rate 15/5, overload <floodtargets> flush global) Problem is, the only address that get added to the <floodtargets> table is that of the sending server. Any ideas on how to get the attack victims added to the table? Thanks, Boutros
