Thread: attacks DDoS
View Single Post
  #2   (View Single Post)  
Old 17th December 2009
roundkat roundkat is offline
Shell Scout
 
Join Date: May 2008
Posts: 115
Default

I guess you would need to be more specific on which service
i.e. ssh , http , etc..

So for an example for ssh
I block the script kiddies banging away on port 22 (ssh)
Code:
#Tables
table <scanners> persist

# stop the script kiddies
  pass in quick on $ext_if proto tcp from !<scanners> to $ext_if port ssh flags S/SA \
  synproxy state (max-src-conn-rate 2/60, overload <scanners> flush)

block in quick on $ext_if from <scanners> to any
This part of my rules captures the IP of the script kiddie if they try more than
2 times in 60 seconds.. (a bit restrictive yes.. and you can change the interval)
then dumps the offending IP to the table "scanners"

Any subsequent connection from the offiending IP is then dropped..
The table is flushed upon reboot.
I "used" to have a script that would also dump the offending IP's to a permanent
table but that proved unnecessary to keep them.

I am assuming that there is also a solution for http.. but I have never found the need to
implement one..

One of the other "more learned" mods like J65nko or a frequent pf master like s2Scott might provide you a much more
technical response... :-)

hth
rk
__________________
All posts sent on ReCycled Electrons...
Reply With Quote