On Mon, Aug 20, 2012 at 11:53 AM, J David <[email protected]> wrote:
> However, the nature of a DDOS attack is that there is not a single > source IP. The source IP is either outright forged or one of a large > number of compromised attacking hosts. So what I really want to do is > have a "max-dst-states" rule that would at least temporarily blackhole > an IP being attacked, but there's no such thing. Rather than block on the number of states, take a look at dropping based on the number of connections over some time delta. Specifically, max-src-conn and max-src-conn-rate. kmw _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected]"
