My DNS server is being used in a reflection attack. I can tell its a reflection attack by the incoming ttl of the DNS packet and the ping ttl as returned with ping. They differ, meaning it's spoofed from another site.
While the system it's on is FreeBSD and it's pf is outdated, I didn't see an option in OpenBSD's pf that allows matching a packet by its ttl. Because if I had that I could block the reflection attacker and still allow the valid query from that IP through. Is there will for such an option in OpenBSD? If not I won't waste anyones time furthermore. Cheers, -peter
