On 8/24/06, Ryan Corder <[EMAIL PROTECTED]> wrote:
table <bad_hosts> persist block in quick on $ext_if inet from <bad_hosts>pass in on $ext_if proto tcp from any to any port 80 \ flags S/SA synproxy state (max-src-conn 100, \ max-src-conn-rate 15/5, \ overload <bad_hosts> flush)
This works fine in these cases and I've used it before. Run a cron job to grab and update and flat-file of IP addresses (<bad_hosts>) on a regular basis. I've managed botnet attacks just like it with block lists in the hundreds of thousands. If you are that concerned with aol traffic then just set another cron to rip out aol address space from the bad_hosts file.
