On Wed, Nov 06, 2002 at 12:44:38PM +0100, Sacha Ligthert wrote: > I wonder on the other side what can be done (by pf) to prevent the host > being used as a zombie spawning (spoofed) packets like mad. Anybody a clue?
There are some articles about that on http://www.honeynet.org/papers/honeynet/ as honeypots are usually limited in that way so they cannot be used for DoS attacks against external hosts. One interesting trick is to limit the number of states the host can create (with 'keep state (max N)') and then increasing the TCP timeouts to artificially high values. If you set all tcp.* values to, for instance, 3600 seconds and limit the states to 10 entries, the host can't establish more than 10 tcp connections per hour, as no state will be removed before at least 3600 seconds have passed. There's a link to a patch for pf that allows further session limiting on honeynet.org. Daniel