Han Boetes wrote:
Not so much as a direct reply but more as to share what happened when I was ddossed a few month ago.The thing that brought my pc to it's knees was pflog trying to log it all. Once I found that out I disabled logging and Then I hardly had a connection because my upload caused by the replies of my return-rst firewall stuffed the upload. After that I disabled return-rst I got a continous stream of 50kb/s and I barely noticed I was ddossed. So my suggestion would be to put in triggers in pf that would go of at certain levels that would indicate a ddos, after which logging and return-rst is disabled. Perhaps pflog could go in another mode that gathers much less detailed info.
one could accomplish such a thing without any changes to pf - just a small daemon (perhaps a script) which monitors some statistic (eg.g. denied packets) and switches rulesets if it is exceeded.
-d