synproxy in pf already makes sure the 3-way handshake completes before the connection is completed on the other side; rate limiting can also be done on the OpenBSD firewall, so it's not clear why you would need an extra box there.
The bigger problem with DDoS attacks is that the upstream pipe is filled up with traffic, and no matter how much technology you deploy at your end of the pipe, it's still going to be full. Rate limiting and such needs to be deployed further out, at your ISP, and possibly further upstream. Also, it would help if all ISP's implemented proper egress filtering to prevent spoofing. On Fri, Jul 18, 2008 at 10:27:36PM -0700, Parvinder Bhasin wrote: > This maybe dumb but won't hurt to throw this out there, maybe this has > to be built with combination of tools, technologies etc but i would > definately like to first collect as much info and then maybe work on > this (or maybe the solution - open source is already out there , in that > case I would like to know what :), I know of many 100K devices that will > do this. > > Is there a way that I can setup a machine (another openbsd machine) in > front of an OpenBSD firewall to help against DDoS attacks? > If so what would be proper approach in doing so (if someone has already > approached this subject). > > Machine would have 2 or 3 nics (3rd nic for management maybe?). > You take the internet drop on the first port, say for example: fxp0 > (external_if) . Maybe implement SYNCOOKIE (technology). The traffic > only gets passed on to the firewall port throught fxp1 (internal_if) , > once the server gets the ACK back. Would SYNPROXY do this too?? > This machine could also be doing some form of RATE LIMITING?? maybe?? > > Anyone ?? Anytakes?? > > /Parvinder Bhasin > --