[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

max-src-conn-rate and icmp?

Hi there,
We'd like to use pf to catch -- and block -- Windows hosts that we
believe have been compromised.  One common thing they do is generate a
lot of ICMP traffic, probably some nachi-type DoS flood tool.
It seems that max-src-conn-rate, and its friend, overload, only seem
to work with TCP, and the pf.conf docs seem to agree.
Is there any way we can have a machine, which generates a high amount
of ICMP traffic, be snarfed into some overload table so we can give
them a "please call us" http forced response?