Blocking udp flood trafiic using pf, hints welcome
Glen Barber
glen.j.barber at gmail.com
Sun Nov 9 03:33:54 PST 2008
On Sun, Nov 9, 2008 at 4:37 AM, Elvir Kuric <omasnjak at gmail.com> wrote:
> Hi all,
>
> I am playing with pf tool on openbsd/freebsd platforms and it is super
> tool for firewalls. On thing is interesting for me, and I am hopping
> someone has expeience with this.
>
> If I say
>
> block log all
> block in log (all) quick on $ext_if proto udp from any to $ext_if
>
> this would block all traffic on $ext_if, but on my ext_if I recive a
> lot of ( huge amount ) of udp generated traffic which make me a lot
> of problems.
> I also tryed to add small pipe and play with ALTQ to handle this but
> it did not help a lot. Also I know that every packet which hit my
> ext_if should be
> processed ( or least take a little processor resources, if I block
> it with keyword quick ), but I am wondering is there some way to
> decrease impact on system
> when a lot of packets arive in short time.
>
> My question would be, what are your experinces with battling against
> boring udp flooders ? Platform are FreeBSD / OpenBSD and all works
> like a charm except time to time, stupid udp flood atacks.
>
Not sure if this will help in your situation, but you could try
setting the 'blackhole' for UDP. (There is also one for TCP.)
net.inet.tcp.blackhole
net.inet.udp.blackhole
--
Glen Barber
"If you have any trouble sounding condescending, find a Unix user to
show you how it's done."
--Scott Adams
More information about the freebsd-pf
mailing list