jeff wrote:
Sean Knox wrote:
<tcpdump logs and pf.conf snipped>
The only people who can help is your ISP. Talk to them and hopefully
they can trace the attack upstream.
I once added this to pf.conf to mitigate a DDoS. It appeared to have
worked, but it may have been a placebo effect ;)
set optimization aggressive
set timeout tcp.first 45
set timeout tcp.established 43200
set timeout { adaptive.start 30000, adaptive.end 45000 }
set limit states 40000
This might help with a SYN attack as long you still have available
bandwidth. Additionally, this wouldn't help against any non-TCP packet.
If an attacker is exhausting your pipe, all the firewalling in the world
won't help. You'll have to have upstream ISPs route the packets into
/dev/null.
sk
