From owner-freebsd-questions@FreeBSD.ORG Wed Sep 21 13:37:07 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 218B9106564A for ; Wed, 21 Sep 2011 13:37:07 +0000 (UTC) (envelope-from mlopezqc@gmail.com) Received: from mail-qy0-f182.google.com (mail-qy0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id D711E8FC13 for ; Wed, 21 Sep 2011 13:37:06 +0000 (UTC) Received: by qyk4 with SMTP id 4so1831364qyk.13 for ; Wed, 21 Sep 2011 06:37:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=date:from:to:subject:message-id:mime-version:content-type :content-disposition:content-transfer-encoding:user-agent; bh=7/xk8oJhCCit0GXqRo2gpnw1d6IN9vM994ONZUVKE0E=; b=CLAa892hpk7Wh0tAq1Uk10I75/ilQ634T6x53xJnwuRfC6f7nn4xvxF1zAmR/8hIZP PPXWW9/LDIIrED/716qqE2pTMsUnMTSjBEEC1MWuIAooSbEdJyXWRKTo94H8CkQeTmyu 9KkIhLsEylM81pus3Gh6fBt35YDuS+HSh/518= Received: by 10.224.208.67 with SMTP id gb3mr588182qab.396.1316610392024; Wed, 21 Sep 2011 06:06:32 -0700 (PDT) Received: from mauricio-desktop ([200.55.179.22]) by mx.google.com with ESMTPS id hr6sm4852508qab.6.2011.09.21.06.06.28 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 21 Sep 2011 06:06:30 -0700 (PDT) Date: Wed, 21 Sep 2011 09:06:08 -0400 From: Mauricio =?iso-8859-1?Q?L=F3pez?= To: freebsd-questions Message-ID: <20110921130608.GA3759@mauricio-desktop> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.5.20 (2009-06-14) Subject: Blacklisting DOS IPs X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Sep 2011 13:37:07 -0000 I'm currently using a pfSense box as a gateway and I was recently victim of a DNS DOS attack. That made me think how I could blacklist those IPs automatically. I looked through the pf documentation and the thing that seemed more like it was the max-src-conn-rate option, but then I realized that it's useless with UDP when some hosts send you vast amounts of packets. I'm thinking about making an script using awk and pftop output to watch for states that have more than 1Mb of traffic (regular DNS queries aren't that big) and put those hosts in a table for blocking. My question is if it is there some other more efficient solution for this problem. Thanks in advance -- Saludos de Mauricio López-Quintana Conesa Administrador de Redes Dirección de Patrimonio Oficina del Historiador