This shows you the differences between two versions of the page.
freebsd:pf_attack_mitigation [2014/11/10 09:48] tschulz created |
freebsd:pf_attack_mitigation [2014/11/10 09:52] tschulz |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Packet Filter Attack Mitigation ====== | ====== Packet Filter Attack Mitigation ====== | ||
+ | ===== Example ===== | ||
<file> | <file> | ||
table <abusive_hosts> persist | table <abusive_hosts> persist | ||
block in quick from <abusive_hosts> | block in quick from <abusive_hosts> | ||
- | pass in on $ext_if proto tcp to $web_server port www flags S/SA keep state (max-src-conn 100, max-src-conn-rate 15/5, overload <abusive_hosts> flush) | + | pass in on $ext_if proto tcp to $web_server port www \ |
+ | flags S/SA keep state \ | ||
+ | (max-src-conn 100, max-src-conn-rate 15/5, overload <abusive_hosts> flush) | ||
</file> | </file> | ||
+ | |||
+ | ===== Break it down line by line ===== | ||
+ | - define a table to store abusive hosts | ||
+ | - block the abusive hosts | ||
+ | - pass traffic to the web server | ||
+ | - you need "flags S/SA keep state" | ||
+ | - if a host creates more than 100 at a time or creates 15 connections a sec it is placed in abusive_hosts |