Hi guys,
One of the IPs on my system is being subjected to occasional UDP floods (i can tell it's UDP by checking out the bandwidthd output for that IP). Whilst the rest of the network remains completely stable due to decent firewalls in use at the data-centre i can't help thinking that there's more i can be doing to limit the effect of these attacks via my software firewall (pf). I tried experimenting with the following rule;
Code:
pass inet proto udp from any to x.x.x.x \
keep state \
(max-src-conn 100, max-src-conn-rate 15/5, \
overload <bruteforce> flush global)
I *think* it helped a little but not as much as i'd like. First of all is there really any point in implementing this sort of protection and if so how can i make best use of pf to stop these attacks crippling the IP in question?
Thanks,
Chris