Hi, I developed a script to try block IPs that are potentially doing SYN Flood to my https server.
These are the configurations in my /etc/pf.conf: pass in on egress proto tcp from any to (egress:0) port = 443 flags S/SA synproxy state block return log on egress proto tcp from <bad_hosts> to (egress:0) port = 443 Every minute I run the script: 1) # pfctl -ss | grep -w tcp | grep -w 443 | grep -w PROXY all tcp <my_server>:443 <- <potential_bad_host>:45031 PROXY:SRC 2) I put the <potential_bad_host> in a local database, and I increment the number of occurrences the PROXY:SRC appears. 3) If the number of occurrences is greater than a maximum tolerated, then I add the <potential_bad_host> to the pf table <bad_hosts>. Anyway, even if the <potential_bad_host> opens a PROXY:SRC connection, detected every minute by my script, it could be a "good host". But, a "good host" replies with an ACK immediately. I would be 100% sure that the ip is a "bad host" only if it doesn't send the ACK in a certain period of time. So, I would like to ask if it's possible to add such kind of a timestamp in pfctl. Example: # pfctl -ss | grep -w tcp | grep -w 443 | grep -w PROXY all tcp <my_server>:443 <- <potential_bad_host>:45031 PROXY:SRC *<seconds_without_ack>* If *<seconds_without_ack>* is greater than a tolerated minumum, then I can consider that the <potential_bad_host> is actually a "bad host" Regards Luca
