Note: to view an individual PR, use:
http://www.freebsd.org/cgi/query-pr.cgi?pr=(number).
The following is a listing of current problems submitted by FreeBSD users.
These represent problem reports covering all versions including
experimental development code and obsolete releases.
S Tracker
Hello,
We experience frequent DDOS attacks, and we're having a tough time
mitigating them with pf. We have plenty of bandwidth and processing
power, we just can't seem to get the rules right.
If, for example, I have a single IP address on the outside attacking a
range of IPs on the inside, it is
On Mon, Aug 20, 2012 at 11:53 AM, J David wrote:
> However, the nature of a DDOS attack is that there is not a single
> source IP. The source IP is either outright forged or one of a large
> number of compromised attacking hosts. So what I really want to do is
> have a "max-dst-states" rule tha
David,
Have you looked *optimization* at link below? Maybe it helps you.
http://www.openbsd.org/faq/pf/options.html
On Mon, Aug 20, 2012 at 12:53 PM, J David wrote:
> Hello,
>
> We experience frequent DDOS attacks, and we're having a tough time
> mitigating them with pf. We have plenty of ban
On Mon, Aug 20, 2012 at 12:07 PM, Kevin Wilcox wrote:
> Rather than block on the number of states, take a look at dropping
> based on the number of connections over some time delta.
>
> Specifically, max-src-conn and max-src-conn-rate.
Anything based on the source address is ineffective as the nu
All of the methods listed in more recent messages are just fine of
methods to *somewhat* handle the DDoS on the hosts being attacked.
- *But* -
The only way you are going to take care of this is going to you're
provider at the next level and asking them for assistance. Most of the
addresses you
W dniu 20.08.2012 18:27, Jason Hellenthal pisze:
All of the methods listed in more recent messages are just fine of
methods to *somewhat* handle the DDoS on the hosts being attacked.
- *But* -
The only way you are going to take care of this is going to you're
provider at the next level and aski
Unfortunately, I think my reference to DDOS attacks has distracted
from the underlying issue.
PF allows a rule like this:
pass in proto tcp from any to any port www keep state (max 100,
source-track rule, max-src-states 3)
(adapted from the man page)
We want this rule:
pass in proto tcp from a
