> So my suggestion would be to put in triggers in pf that would go of at > certain levels that would indicate a ddos, after which logging and > return-rst is disabled. Perhaps pflog could go in another mode that > gathers much less detailed info.
this may lead to an attacker DDoS'ing your firewall so as to break into your network while no/few logs are being kept. seems very risky; it's safer to have a slow network on which you know what's happened than a fast network on which you don't. -f http://www.blackant.net/