PF - using overload for port 80 attacks/floods

[Cache Hit]

Hello,

I've been successfully using the max-src-conn and max-src-conn-rate
with an overload into a table that I block for our external firewall
that protects a few dozen (mostly Sun) web servers.   As it stands it
works great for blocking ssh, ftp, smtp and several other protocols
when there are attempts at floods or hacks.   I group them by port
and and have different settings for different sets of ports.

One thing I continually run into on the machines are port 80 attacks
or floods.  I'd like to do something similar with PF as I'm already
doing for other protocols to overload these into a table and block
them, but I'm finding it very hard to come up with a set of rules
that eliminate any false positives while still catching actual
attacks.    I find in particular there are a few websites behind our
firewall that have very complex page structures with lots of embedded
images such that a fast browser with a fast connection viewing
certain sections of the site can easily do 100's of legit GET's in a
matter of a couple seconds.

Does anyone have any suggestions for weeding out the false
positives?   Merely upping either of max-src-conn or max-src-conn-
rate seems to be eventually self-defeating as it just allows attacks
through as well as allowing the fast legit traffic.

thanks,

--
[EMAIL PROTECTED]
The sky above the port was the color of television, tuned to a dead
station.