sweet idea. :-) -----Original Message----- From: Darrin Chandler <[EMAIL PROTECTED]> To: Cache Hit <[EMAIL PROTECTED]> Cc: misc@openbsd.org Subject: Re: PF - using overload for port 80 attacks/floods Date: Thu, 31 Jan 2008 11:11:25 -0700 Mailer: Mutt/1.5.16 (2007-06-09)
Depending on the traffic patterns of legit vs. attack the following idea might work... use max-src-* with values that may create false positives and overload into table <candidates> which will still PASS. Now use different values for max-src-* on <candidate> pass rule to look for longer term abuse and overload to <blocked>. Effectively this lets you do 2 stages of evaluation, at the price of taking a bit longer to block attacks. Make sense?
