On Tue, Aug 21, 2012 at 4:24 AM, Daniel Hartmeier wrote:
> Why not use synproxy state?
synproxy state does not help us limit simultaneous connections to a
particular destination IP, which is all we are trying to accomplish,
for a very large number of destination IPs.
Thanks.
On Mon, Aug 20, 2012 at 12:23:15PM -0400, J David wrote:
> Anything based on the source address is ineffective as the number of
> attack packets from any given IP is very low (frequently 1 if they are
> forged).
Why not use synproxy state?
> The goal for us is to clamp down on attacks directed a
On 8/20/2012, "J David" wrote:
>Unfortunately, I think my reference to DDOS attacks has distracted
>from the underlying issue.
>
>PF allows a rule like this:
>
>pass in proto tcp from any to any port www keep state (max 100,
>source-track rule, max-src-states 3)
>
>(adapted from the man page)
>
Unfortunately, I think my reference to DDOS attacks has distracted
from the underlying issue.
PF allows a rule like this:
pass in proto tcp from any to any port www keep state (max 100,
source-track rule, max-src-states 3)
(adapted from the man page)
We want this rule:
pass in proto tcp from a
W dniu 20.08.2012 18:27, Jason Hellenthal pisze:
All of the methods listed in more recent messages are just fine of
methods to *somewhat* handle the DDoS on the hosts being attacked.
- *But* -
The only way you are going to take care of this is going to you're
provider at the next level and aski
All of the methods listed in more recent messages are just fine of
methods to *somewhat* handle the DDoS on the hosts being attacked.
- *But* -
The only way you are going to take care of this is going to you're
provider at the next level and asking them for assistance. Most of the
addresses you
On Mon, Aug 20, 2012 at 12:07 PM, Kevin Wilcox wrote:
> Rather than block on the number of states, take a look at dropping
> based on the number of connections over some time delta.
>
> Specifically, max-src-conn and max-src-conn-rate.
Anything based on the source address is ineffective as the nu
David,
Have you looked *optimization* at link below? Maybe it helps you.
http://www.openbsd.org/faq/pf/options.html
On Mon, Aug 20, 2012 at 12:53 PM, J David wrote:
> Hello,
>
> We experience frequent DDOS attacks, and we're having a tough time
> mitigating them with pf. We have plenty of ban
On Mon, Aug 20, 2012 at 11:53 AM, J David wrote:
> However, the nature of a DDOS attack is that there is not a single
> source IP. The source IP is either outright forged or one of a large
> number of compromised attacking hosts. So what I really want to do is
> have a "max-dst-states" rule tha
Hello,
We experience frequent DDOS attacks, and we're having a tough time
mitigating them with pf. We have plenty of bandwidth and processing
power, we just can't seem to get the rules right.
If, for example, I have a single IP address on the outside attacking a
range of IPs on the inside, it is
10 matches
Mail list logo
