On Wed, 2002-11-06 at 08:57, Han Boetes wrote: > firewall stuffed the upload. After that I disabled return-rst I got a > continous stream of 50kb/s and I barely noticed I was ddossed. > > So my suggestion would be to put in triggers in pf that would go of at > certain levels that would indicate a ddos, after which logging and > return-rst is disabled. Perhaps pflog could go in another mode that > gathers much less detailed info. > > Of course I don't know if this is a good idea. This is just my > impression. > > Another side effect of the return-rst was that I got a warning from my > isp for scanning certain hosts. Of course the ips of the attackers were > spoofed and I got the blame for the return packets identified by the > other person as a scan.
Ironic, isn't it? You try to run a "good neighbor firewall" and get accused of portscanning. Not to mention committing interconnectivity suicide on your upstream. :( Yeah, that would be nice, but could likely be implemented with some sort of ioctl/pfctl(?) userland utility that checks for max connections, then adds temporary rules to disable logging and return-rst for that source. Heck, this *could* be done with a perl script and cron, although it wouldn't be "real-time". I wonder, realistically, how much cpu would be wasted running this every minute from cron? :) -J.
