On Thu, Jan 31, 2008 at 10:50:43AM -0600, Cache Hit wrote: > One thing I continually run into on the machines are port 80 attacks > or floods. I'd like to do something similar with PF as I'm already > doing for other protocols to overload these into a table and block > them, but I'm finding it very hard to come up with a set of rules > that eliminate any false positives while still catching actual > attacks. I find in particular there are a few websites behind our > firewall that have very complex page structures with lots of embedded > images such that a fast browser with a fast connection viewing > certain sections of the site can easily do 100's of legit GET's in a > matter of a couple seconds. > > Does anyone have any suggestions for weeding out the false > positives? Merely upping either of max-src-conn or max-src-conn- > rate seems to be eventually self-defeating as it just allows attacks > through as well as allowing the fast legit traffic.
Depending on the traffic patterns of legit vs. attack the following idea might work... use max-src-* with values that may create false positives and overload into table <candidates> which will still PASS. Now use different values for max-src-* on <candidate> pass rule to look for longer term abuse and overload to <blocked>. Effectively this lets you do 2 stages of evaluation, at the price of taking a bit longer to block attacks. Make sense? -- Darrin Chandler | Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
