[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: dDoS attacks
Han Boetes wrote:
Not so much as a direct reply but more as to share what happened when I
was ddossed a few month ago.
The thing that brought my pc to it's knees was pflog trying to log it
all. Once I found that out I disabled logging and Then I hardly had a
connection because my upload caused by the replies of my return-rst
firewall stuffed the upload. After that I disabled return-rst I got a
continous stream of 50kb/s and I barely noticed I was ddossed.
So my suggestion would be to put in triggers in pf that would go of at
certain levels that would indicate a ddos, after which logging and
return-rst is disabled. Perhaps pflog could go in another mode that
gathers much less detailed info.
one could accomplish such a thing without any changes to pf - just a
small daemon (perhaps a script) which monitors some statistic (eg.g.
denied packets) and switches rulesets if it is exceeded.