Michiel van Baak ([EMAIL PROTECTED]) wrote: > I've been spending 3 days searching on google and reading docs/howto's > about pf. But I didn't find any information about how to protect you > server/network against dos and ddos attacks. Anyone who can enlighten > me ? > > I'm pretty new to OpenBSD. Started using it when 2.9 came out and just > preordered 3.2. I'm running a server/firewall on 3.0 for a while now.
Not so much as a direct reply but more as to share what happened when I was ddossed a few month ago. The thing that brought my pc to it's knees was pflog trying to log it all. Once I found that out I disabled logging and Then I hardly had a connection because my upload caused by the replies of my return-rst firewall stuffed the upload. After that I disabled return-rst I got a continous stream of 50kb/s and I barely noticed I was ddossed. So my suggestion would be to put in triggers in pf that would go of at certain levels that would indicate a ddos, after which logging and return-rst is disabled. Perhaps pflog could go in another mode that gathers much less detailed info. Of course I don't know if this is a good idea. This is just my impression. Another side effect of the return-rst was that I got a warning from my isp for scanning certain hosts. Of course the ips of the attackers were spoofed and I got the blame for the return packets identified by the other person as a scan. //Han -- Linux, the choice .~. I never said all Democrats were of a GNU generation / V \ saloonkeepers; what I said was all Kernel 2.4.19 /( . )\ saloonkeepers were Democrats. on a i686 ^-^
