Hi all,
I'm interested in logging packets that hit the max-src-states rule
or even better put the source IPs in a table like in overload.
set block-policy drop
set optimization aggressive
block in
pass out keep state
pass in quick on $ext_if proto tcp from any to ($ext_if) port $my_server
flags S/SA
keep state (source-track rule, max-src-states 30, max-src-conn 30, overload
<abusive_hosts> flush global)
I'm the middle of a ddos attack with a vast amount of unfinished tcp syn
connections
from a vast amount of IPs. I want to keep track of the source IPs of the
attackers,
even they might be spoofed.
Also any other idea I could mitigate the attack? The machine is old and
it is being exhausted
and it starts dropping active/established connections.
Regards,
Giannis