Many thanks,
Already have that in place.
But doesn't always help for AOL proxy for example that actually will
have more connection then this.
If you look here:
http://webmaster.info.aol.com/proxyinfo.html
I can have the list of Proxy used for them, so I can also allow this
list to connect without restrictions, but many proxy don't publish their
listing, so legitimate traffic would be block. (;<
Having more then 100 connection from a valid proxy on busy servers is
easy, so can't do that. And limiting the connection rate is a good idea,
but the attack got smart somehow as it increase the number of source,
but reduce the connections rate from each one. (;<
This have been going on for about 7 weeks now. may be more, but didn't
notice anything before that. Can't say that it wasn't there however.
That's why I am logging them all now. I logged now 12 thousands new
source alone in the last 23 hours, but if I look at all the logs in the
past 7 weeks if i am welling to do this, it wouldn't surprise me if I
could identify 10 times more then this.
Don't get me wrong. It's not that your idea or suggestion is not good.
It is! But already in place and looks like it also needs something else
as well. That's why I called this my live lab system if I may use that.
It's a good setup to test DDoS like fighting back procedure.
At this time I am still calling this fun as I am learning and the impact
are really minimal, but if I am not working at it seriously, it may well
become a night mare sooner then I would like if you follow my drift.
Thanks for your suggestions never the less.
Ryan Corder wrote:
On Thu, 2006-08-24 at 12:30 -0400, Daniel Ouellet wrote:
I am now up to 11,149 simultaneous sources for the last 22 hours.
Someone is having fun at my expense.
But still holding on remarkably well!
sounds like it is time to deploy some PF hackery...
table <bad_hosts> persist
block in quick on $ext_if inet from <bad_hosts>
pass in on $ext_if proto tcp from any to any port 80 \
flags S/SA synproxy state (max-src-conn 100, \
max-src-conn-rate 15/5, \
overload <bad_hosts> flush)
later.
ryanc
--
Ryan Corder <[EMAIL PROTECTED]>
Systems Engineer, NovaSys Health LLC.
501-219-4444 ext. 646
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
