Darrin Chandler <[EMAIL PROTECTED]> writes: > Depending on the traffic patterns of legit vs. attack the following idea > might work... use max-src-* with values that may create false positives > and overload into table <candidates> which will still PASS. Now use > different values for max-src-* on <candidate> pass rule to look for > longer term abuse and overload to <blocked>. Effectively this lets you > do 2 stages of evaluation, at the price of taking a bit longer to block > attacks. Make sense?
That's what I call an excellent idea. Finding the right set of values is a worthy excercise for the reader, but I *like* that approach. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
