Comment OpenBSD's pf has some mitigation features (Score 2, Informative) 203
OpenBSD's pf firewall has some options that can help mitigate the "single attacker, single source IP" version of this attack. Of course if the attackers decide to spread the attack out over multiple source IPs like a DDoS, this becomes much harder to deal with until Apache has a patch.
Filter rules that create state entries can specify various options to control the behavior of the resulting state entry. The following options are available:
- max number
- Limit the maximum number of state entries the rule can create to
number.
If the maximum is reached, packets that would normally create state
fail to match this rule until the number of existing states decreases
below the limit. - no state
- Prevents the rule from automatically creating a state entry.
- source-track
- This option enables the tracking of number of states created per
source IP address.The total number of source IP addresses tracked globally can be
controlled via the - max-src-nodes number
- When the source-track option is used,
max-src-nodes will limit the number of source IP addresses that
can simultaneously create state.
This option can only be used with source-track rule. - max-src-states number
- When the source-track option is used,
max-src-states will limit the number of simultaneous state
entries that can be created per source IP address.
The scope of this limit (i.e., states created by this rule only or
states created by all rules that use source-track) is dependent
on the source-track option specified.