Re: PF - using overload for port 80 attacks/floods

[Cache Hit]

On Feb 1, 2008, at 1:30 AM, Peter N. M. Hansteen wrote:

Darrin Chandler <[EMAIL PROTECTED]> writes:

Depending on the traffic patterns of legit vs. attack the
following idea
might work... use max-src-* with values that may create false
positives
and overload into table <candidates> which will still PASS. Now use
different values for max-src-* on <candidate> pass rule to look for
longer term abuse and overload to <blocked>. Effectively this lets
you
do 2 stages of evaluation, at the price of taking a bit longer to
block
attacks. Make sense?

That's what I call an excellent idea.  Finding the right set of values
is a worthy excercise for the reader, but I *like* that approach.

I agree this is an excellent idea and I thank everyone for their
suggestions.   I'm
working on something along the lines of Darrin's idea right now.

-John
--
[EMAIL PROTECTED]
The sky above the port was the color of television, tuned to a dead
station.