Article 6FJE9 OpenBSD PF-based firewalls suffer differently from denial of service attacks

OpenBSD PF-based firewalls suffer differently from denial of service attacks

by
Thom Holwerda
from OSnews on (#6FJE9)

Suppose, hypothetically, that you have some DNS servers that are exposed to the Internet behind an OpenBSD PF-based firewall. Since you're a sensible person, you have various rate limits set in your DNS servers to prevent or at least mitigate various forms of denial of service attacks. One day, your DNS servers become extremely popular for whatever reason, your rate limits kick in, and your firewall abruptly stops allowing new connections in or out. What on earth happened?

It's a quirk of PF in OpenBSD, and this post provides more details and possible mitigations.

External Content
Source RSS or Atom Feed
Feed Location http://www.osnews.com/files/recent.xml
Feed Title OSnews
Feed Link https://www.osnews.com/
Reply 0 comments