[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: dDoS attacks

Han Boetes wrote:

Not so much as a direct reply but more as to share what happened when  I
was ddossed a few month ago.

The thing that brought my pc to it's knees was pflog trying  to  log  it
all. Once I found that out I disabled logging and Then I  hardly  had  a
connection because my upload caused by  the  replies  of  my  return-rst
firewall stuffed the upload. After that I disabled return-rst  I  got  a
continous stream of 50kb/s and I barely noticed I was ddossed.

So my suggestion would be to put in triggers in pf that would go  of  at
certain levels that would indicate  a  ddos,  after  which  logging  and
return-rst is disabled. Perhaps pflog could  go  in  another  mode  that
gathers much less detailed info.

one could accomplish such a thing without any changes to pf - just a small daemon (perhaps a script) which monitors some statistic (eg.g. denied packets) and switches rulesets if it is exceeded.