c0co wrote: > This probably depends on what's in your current logging and why you're > concluding that it's reflection. > > A KISS solution might be to eval the logs, identify the consistent indicators > of bad traffic, and pass the src IPs (spoofed or otherwise) into a dedicated > block table in PF.
What seemed to work for now was blocking traffic with a src port of 0-1024 and a dest port of one of the running services, e.g. HTTP. The forged packets almost always had a source port of 22, 80, or 443. Regards Lloyd
