Re: PF - using overload for port 80 attacks/floods

On Feb 1, 2008, at 1:30 AM, Peter N. M. Hansteen wrote: Darrin Chandler <[EMAIL PROTECTED]> writes: Depending on the traffic patterns of legit vs. attack the following idea might work... use max-src-* with values that may create false positives and overload into table which will still PASS. N

Re: PF - using overload for port 80 attacks/floods

Darrin Chandler <[EMAIL PROTECTED]> writes: > Depending on the traffic patterns of legit vs. attack the following idea > might work... use max-src-* with values that may create false positives > and overload into table which will still PASS. Now use > different values for max-src-* on pass rule

Re: PF - using overload for port 80 attacks/floods

Since you already stated you have valid clients which could open many connections at once it seems pf might not be the right solution. Have you thought about using a reverse proxy server in front of your web servers? A program like Pound would allow you to specify valid URL regular expressions wh

Re: PF - using overload for port 80 attacks/floods

sweet idea. :-) -Original Message- From: Darrin Chandler <[EMAIL PROTECTED]> To: Cache Hit <[EMAIL PROTECTED]> Cc: misc@openbsd.org Subject: Re: PF - using overload for port 80 attacks/floods Date: Thu, 31 Jan 2008 11:11:25 -0700 Mailer: Mutt/1.5.16 (2007-06-09) Depending on

Re: PF - using overload for port 80 attacks/floods

On Thu, Jan 31, 2008 at 10:50:43AM -0600, Cache Hit wrote: > One thing I continually run into on the machines are port 80 attacks > or floods. I'd like to do something similar with PF as I'm already > doing for other protocols to overload these into a table and block > them, but I'm finding it ver