Define a filter to drop the packets with SYN+FIN flags set. Mihai
> jeff wrote: >> Sean Knox wrote: >> >>> <tcpdump logs and pf.conf snipped> >>> >>> The only people who can help is your ISP. Talk to them and hopefully >>> they can trace the attack upstream. >> >> >> I once added this to pf.conf to mitigate a DDoS. It appeared to have >> worked, but it may have been a placebo effect ;) >> >> set optimization aggressive >> set timeout tcp.first 45 >> set timeout tcp.established 43200 >> set timeout { adaptive.start 30000, adaptive.end 45000 } >> set limit states 40000 >> > > > This might help with a SYN attack as long you still have available > bandwidth. Additionally, this wouldn't help against any non-TCP packet. > If an attacker is exhausting your pipe, all the firewalling in the world > won't help. You'll have to have upstream ISPs route the packets into > /dev/null. > > sk