Re: fighting amplification attack --was: Re: pf: block drop not working

2021-05-07 Thread Stuart Henderson
No this is not possible. UDP is trivially spoofed (which is probably why you see the problem in the first place; the source IPs you see on the packets are the *victims* not the attacker). Doing this for UDP opens an easy DoS of your legitimate clients. -- Sent from a phone, apologies for poor

Re: fighting amplification attack --was: Re: pf: block drop not working

2021-05-07 Thread Tom Smyth
Hello Axel, Check out fastnetmon if you have SFLOW (Preferably ) or Netflow support on your switches /or routers facing external providers you can put pps per second thresholds on . but bear in mind if the amount of bandwdith being sent to your router exceeds capacity you need to send a BGP co

Re: fighting amplification attack --was: Re: pf: block drop not working

2021-05-07 Thread Axel Rau
> Am 05.05.2021 um 16:20 schrieb Stuart Henderson >: > > This is usually best dealt with in your DNS server software e.g. by using > the rrl-* configuration in NSD, see nsd.conf(5), or "rate-limit" config > section in BIND. Yes, I have this in place now, but I try

Re: fighting amplification attack --was: Re: pf: block drop not working

2021-05-05 Thread Stuart Henderson
On 2021-05-05, Axel Rau wrote: >> >> check the table name … > > But even with the correct table name I had to flush states to get it working. That is expected. A state lookup is done before parsing the ruleset. You can try clearing states with pfctl -k but there are some issues, it doesn't alway

Re: pf: block drop not working

2021-05-05 Thread John McGuigan
I think you've used "black_hole" and "black_whole" as table names. They should all be the same. John On Wed, May 5, 2021, 5:18 AM Axel Rau wrote: > Hi all, > > in pf.conf, I have at the beginning: > - - - > table persist file "/etc/pf/black_hole.txt" > block drop in quick on $red_if from flag

fighting amplification attack --was: Re: pf: block drop not working

2021-05-05 Thread Axel Rau
> Am 05.05.2021 um 13:30 schrieb Tom Smyth : > > black_whole vs black_hole > > check the table name … But even with the correct table name I had to flush states to get it working. Does anyone has a script handy to update the table to black hole dns clients which repeat same query with high f

Re: pf: block drop not working

2021-05-05 Thread Axel Rau
> Am 05.05.2021 um 13:30 schrieb Tom Smyth >: > > black_whole vs black_hole > > check the table name … Thanks a lot! Axel --- PGP-Key: CDE74120 ☀ computing @ chaos claudius signature.asc Description: Message signed with OpenPGP

Re: pf: block drop not working

2021-05-05 Thread Tom Smyth
black_whole vs black_hole check the table name ... On Wed, 5 May 2021 at 12:11, Axel Rau wrote: > > Hi all, > > in pf.conf, I have at the beginning: > - - - > table persist file "/etc/pf/black_hole.txt" > block drop in quick on $red_if from flags any > > fw1# pfctl -s rules | head -3 > block

pf: block drop not working

2021-05-05 Thread Axel Rau
Hi all, in pf.conf, I have at the beginning: - - - table persist file "/etc/pf/black_hole.txt" block drop in quick on $red_if from flags any fw1# pfctl -s rules | head -3 block drop in quick on em2 from to any fw1# pfctl -t black_hole -T show . . . 146.168.0.0/16 . . . But responses stil