On Wed, Nov 06, 2002 at 12:02:42PM +0100, Michiel van Baak wrote: > I know they have to block it in the router. > But that's not the case with my network and now I want to block them > in the router here. > It's a box that does NAT for our internal net and runs smtp, pop3, > www,https and ssh > > Is there a way to do it with pf?
okay, i will be more detailed with my explanation. the point of a ddos attack is to saturate your uplink with junk traffic, to the point where valid traffic can not be answered. if your uplink is a t1/e1 and hosts are sending traffic your way at an aggregate rate of 1Gb/s, there's no way to prevent that via pf. say all the traffic is icmp. blocking icmp via pf on your external interface is not going to help at all. you can be silently dropping the icmp that arrives, but there will be lots more of it squeezing its way through your uplink and keeping legitimate traffic out. how do you prevent millions of packets destined for your host from arriving? you call your ISP and tell them to block the traffic at the router, that way it isn't passed through and into your strangled uplink. if by ddos you meant a couple people trying to make your openbsd box fall down, read on: now if someone is just trying to make your pf box crash, that is a different story. it is well known that a tool such as nmap doing multiple, concurrent scans can crash an openbsd+pf machine because the state table grows horribly large and memory exhaustion occurs. if you have a default deny ruleset, this is not an issue as states will not be created for the blocked connections. if you have a default pass ruleset that is keeping state or are worried about attacks from unfiltered interfaces that you are keeping state on, then you should set a hard limit for your state table. - jolan