On Thu, Jan 31, 2008 at 10:50:43AM -0600, Cache Hit wrote:

quoted text
> One thing I continually run into on the machines are port 80 attacks

> or floods.  I'd like to do something similar with PF as I'm already

> doing for other protocols to overload these into a table and block

> them, but I'm finding it very hard to come up with a set of rules

> that eliminate any false positives while still catching actual

> attacks.    I find in particular there are a few websites behind our

> firewall that have very complex page structures with lots of embedded

> images such that a fast browser with a fast connection viewing

> certain sections of the site can easily do 100's of legit GET's in a

> matter of a couple seconds.

>

> Does anyone have any suggestions for weeding out the false

> positives?   Merely upping either of max-src-conn or max-src-conn-

> rate seems to be eventually self-defeating as it just allows attacks

> through as well as allowing the fast legit traffic.

Depending on the traffic patterns of legit vs. attack the following idea

might work... use max-src-* with values that may create false positives

and overload into table  which will still PASS. Now use

different values for max-src-* on  pass rule to look for

longer term abuse and overload to . Effectively this lets you

do 2 stages of evaluation, at the price of taking a bit longer to block

attacks. Make sense?
--

Darrin Chandler            |  Phoenix BSD User Group  |  MetaBUG

dwchandler@stilyagin.com   |  http://phxbug.org/      |  http://metabug.org/

http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG Federation