Hi misc,
I got a firewall with openbsd 4.1 and pf and it's receiving a lot of syn
floods attacks and even udp floods, since this is common I think someone
could have developed something on this, so why to reinvent the wheel?
The scenario is this:
block in log
block in quick inet from <badip> to any
...
pass rules
...
So when I got this attacks, my pflog shows a lot of packets blocked by
the "block in log" rule, or sometimes by the "scrub in", these packets
are even from ports i'm not listening.
What I want is someway to set like the max-src-conn-rate in the pass
rule, something that will put the hosts that send more than 50pkts/s
blocked to the <badip> table, I don't know if this can be done in
pf.conf or some script to work on pflog?
I don't wanna pf having to see all the rules from this attackers, so if
the packet is comming from <badip> it will drop it quickly and go to the
next packet.
Anyone have worked on something like this?
Thanks,
Vinicius
