Flush ICMP and UDP flooders
LI Xin
delphij at delphij.net
Thu Jun 28 10:57:18 UTC 2007
Abdullah Ibn Hamad Al-Marri wrote:
> Hello,
>
> I would like to block ICMP and UDP flooders who exceed a reasonable number.
>
> #- Rate Limit UDP (150 per host)
> pass proto udp to any port $udp_services keep state
> pass in quick proto udp from any to any \
> keep state \
> (max-src-conn 1,max-src-states 151, \
> overload <DDoS> flush global)
>
> #- Rate Limit ICMP (10 per host)
> pass in quick proto icmp from any to any \
> keep state \
> (max-src-conn 1,max-src-states 11, \
> overload <DDoS> flush global)
I think ICMP and UDP can have their originating address forged, so this
will effectively construct a true remote triggerable DoS...
Cheers,
--
Xin LI <delphij at delphij.net> http://www.delphij.net/
FreeBSD - The Power to Serve!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20070628/84ccd4bf/signature.pgp
More information about the freebsd-pf
mailing list