On Wed, Nov 06, 2002 at 12:02:42PM +0100, Michiel van Baak wrote: > I know they have to block it in the router. > But that's not the case with my network and now I want to block them in the router >here. > It's a box that does NAT for our internal net and runs smtp,pop3,www,https and ssh > > Is there a way to do it with pf?
Well, a real distributed DoS attack involves many hosts fully establishing connections to a service you provide to the public, which either saturates your uplink or the resources on your server so that legitimate connections cannot be handled anymore, thus denying service to your legitimate peers. If you can distinguish connections from attackers from legitimate connections, of course you can block them with pf. You can also not send tcp rst and icmp errors on blocked ports to conserve bandwidth. But if the attack is sophisticated, coming from numerous unspoofed sources and just exhausts your uplink, there's nothing you can do with a firewall alone, since the damage is already done when it sees the packets. If the problem is not the uplink but a service being exhausted, you can throttle connections by proxying them, which also deals with incomplete (spoofed) tcp handshakes (similar to syn cookies, etc.), or use keep state options like 'max' and aggressive timeouts. Daniel
