On 25 June 2012 16:12, Matthias Cramer <cra...@freestone.net> wrote: > Hi Marios > Hi Matthias,
> On 25/06/12 15:58, Marios Makassikis wrote: >> On 25 June 2012 15:36, Matthias Cramer <cra...@freestone.net> wrote: >> >>> - to block a packet even with a established state ? >>> >> >> How are you detecting attackers in your current setup ? > > At the moment by hand ... I know that is not acceptable ... > >> I would consider having PF rate-limit connections to your SIP PBX, and >> add any host >> that goes over the limit to your badguys table. >> An example is described here: http://home.nuug.no/~peter/pf/en/bruteforce.html > > I saw this. But the problem is, the attacker allways comes with the same IP/Port Combo > so the is allways the same session for pf. So this method does not work! My understanding of this, is that the fact that PF creates a state, and uses it for the other communications with the attacker. Considering there is no other state created, it will never reach the limit to be added to the table. If that is the case, the question remains: how do you detect the attack ? Is the PBX rendered unusable for other clients ? I think a more accurate description of the attack would be helpful to find a solution to the problem. > > Is there a way to so something simmilar by packets per second ? > packets per second sounds like a unit for bandwidth, which would suggest using something like ALTQ to throttle traffic. The problem remains though, since you may end up throttling all connections to your PBX, including legitimate clients. > Regards > > Matthias > > -- > Matthias Cramer, Erachfeldstrasse 1b, CH-8180 Bülach > http://www.freestone.net > GnuPG 1024D/2D208250 = DBC6 65B6 7083 1029 781E 3959 B62F DF1C 2D20 8250