Define a filter to drop the packets with SYN+FIN flags set.
Mihai
> jeff wrote:
>> Sean Knox wrote:
>>
>>> <tcpdump logs and pf.conf snipped>
>>>
>>> The only people who can help is your ISP. Talk to them and hopefully
>>> they can trace the attack upstream.
>>
>>
>> I once added this to pf.conf to mitigate a DDoS. It appeared to have
>> worked, but it may have been a placebo effect ;)
>>
>> set optimization aggressive
>> set timeout tcp.first 45
>> set timeout tcp.established 43200
>> set timeout { adaptive.start 30000, adaptive.end 45000 }
>> set limit states 40000
>>
>
>
> This might help with a SYN attack as long you still have available
> bandwidth. Additionally, this wouldn't help against any non-TCP packet.
> If an attacker is exhausting your pipe, all the firewalling in the world
> won't help. You'll have to have upstream ISPs route the packets into
> /dev/null.
>
> sk
