Date: Thu, 28 Jun 2007 18:56:57 +0800 From: LI Xin <delphij@delphij.net> To: Abdullah Ibn Hamad Al-Marri <almarrie@gmail.com> Cc: FreeBSD PF Pro List <freebsd-pf@freebsd.org> Subject: Re: Flush ICMP and UDP flooders Message-ID: <468393F9.2030805@delphij.net> In-Reply-To: <499c70c0706280328m497a613dg552901c7c9875ed2@mail.gmail.com> References: <499c70c0706280328m497a613dg552901c7c9875ed2@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig165D13EEFA532B637E57E94A Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Abdullah Ibn Hamad Al-Marri wrote: > Hello, >=20 > I would like to block ICMP and UDP flooders who exceed a reasonable num= ber. >=20 > #- Rate Limit UDP (150 per host) > pass proto udp to any port $udp_services keep state > pass in quick proto udp from any to any \ > keep state \ > (max-src-conn 1,max-src-states 151, \ > overload <DDoS> flush global) >=20 > #- Rate Limit ICMP (10 per host) > pass in quick proto icmp from any to any \ > keep state \ > (max-src-conn 1,max-src-states 11, \ > overload <DDoS> flush global) I think ICMP and UDP can have their originating address forged, so this will effectively construct a true remote triggerable DoS... Cheers, --=20 Xin LI <delphij@delphij.net> http://www.delphij.net/ FreeBSD - The Power to Serve! --------------enig165D13EEFA532B637E57E94A Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGg5P5OfuToMruuMARCiJzAJ9eHVXjzfwqjVwGCR6q9xmGJ9lzkwCeKC5M NSEgB9DGYWiOtYciIm+Dwsw= =oaBJ -----END PGP SIGNATURE----- --------------enig165D13EEFA532B637E57E94A--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?468393F9.2030805>