Follow Slashdot stories on Twitter


Forgot your password?

Comment OpenBSD's pf has some mitigation features (Score 2, Informative) 203

OpenBSD's pf firewall has some options that can help mitigate the "single attacker, single source IP" version of this attack. Of course if the attackers decide to spread the attack out over multiple source IPs like a DDoS, this becomes much harder to deal with until Apache has a patch.

Filter rules that create state entries can specify various options to control the behavior of the resulting state entry. The following options are available:

max number
Limit the maximum number of state entries the rule can create to
If the maximum is reached, packets that would normally create state
fail to match this rule until the number of existing states decreases
below the limit.
no state
Prevents the rule from automatically creating a state entry.
This option enables the tracking of number of states created per
source IP address.

The total number of source IP addresses tracked globally can be
controlled via the

src-nodes runtime option.

max-src-nodes number
When the source-track option is used,
max-src-nodes will limit the number of source IP addresses that
can simultaneously create state.
This option can only be used with source-track rule.
max-src-states number
When the source-track option is used,
max-src-states will limit the number of simultaneous state
entries that can be created per source IP address.
The scope of this limit (i.e., states created by this rule only or
states created by all rules that use source-track) is dependent
on the source-track option specified.

Slashdot Top Deals

I judge a religion as being good or bad based on whether its adherents become better people as a result of practicing it. - Joe Mullally, computer salesman