стоит pf
в нем есть такие правила:
Код: Выделить всё
inet_if = "ng*"
local_if = "bridge0"
prov_if = "vr1"
icmp_types="{ echoreq, unreach}"
set skip on lo0
set skip on $local_if
scrub in all fragment reassemble
scrub out all random-id max-mss 1440
nat on $inet_if from { $local_if:network } to any -> ($inet_if)
nat on $prov_if from { $local_if:network } to any -> ($prov_if)
pass quick on { $prov_if $local_if } proto { igmp udp } to any allow-opts modulate state
pass out all allow-opts keep state
table <badhosts> persist
table <ddos> persist
block on $inet_if from <badhosts> to any
block log quick from { <ddos>, <badhosts> }
block drop in quick on $inet_if from <badhosts> to any
block drop out quick on $inet_if from any to <badhosts>
## allow HTTP
pass in inet proto tcp from any to any port http synproxy state \
(max-src-conn 200, max-src-conn-rate 100/2, overload <ddos> flush)
## allow SSH
pass in log inet proto tcp from any to any port ssh synproxy state \
(max-src-conn 10, max-src-conn-rate 5/60, overload <badhosts> flush)
pass log inet proto icmp all icmp-type $icmp_types
даже и 10-50 ботов не выдержало....
било вот этом:
Код: Выделить всё
15:28:45.938714 IP h2098142.stratoserver.net.domain > radist04ka.63388: 41037 240/13/1 A 204.46.43.117, A 204.46.43.86, A 204.46.43.214, A 204.46.43.51, A 204.46.43.61, A 204.46.43.11, A 204.46.43.225, A 204.46.43.207, A 204.46.43.173, A 204.46.43.48, A 204.46.43.109, A 204.46.43.23, A 204.46.43.181, A 204.46.43.236, A 204.46.43.63, A 204.46.43.16, A 204.46.43.143, A 204.46.43.179, A 204.46.43.209, A 204.46.43.31, A 204.46.43.34, A 204.46.43.201, A 204.46.43.89, A 204.46.43.53, A 204.46.43.70, A 204.46.43.119, A 204.46.43.8, A 204.46.43.154, A 204.46.43.2, A 204.46.43.235, A 204.46.43.64, A 204.46.43.66, A 204.46.43.25, A 204.46.43.126, A 204.46.43.120, A 204.46.43.38, A 204.46.43.182, A 204.46.43.204, A 204.46.43.108, A 204.46.43.26, A 204.46.43.224, A 204.46.43.101, A 204.46.43.72, A 204.46.43.6, A 204.46.43.135, A 204.46.43.139, A 204.46.43.237, A 204.46.43.218, A 204.46.43.32, A 204.46.43.124, A 204.46.43.107, A 204.46.43.144, A 204.46.43.141, A 204.46.43.160, A 204.46.43.130, A 204.46.43.192, A 204.46.43.189, A 204.46.43.131, A 204.46.43.103, A 204.46.43.187, A 204.46.43.105, A 204.46.43.149, A 204.46.43.57, A 204.46.43.87, A 204.46.43.191, A 204.46.43.148, A 204.46.43.172, A 204.46.43.231, A 204.46.43.215, A 204.46.43.74, A 204.46.43.159, A 204.46.43.18, A 204.46.43.83, A 204.46.43.17, A 204.46.43.59, A 204.46.43.220, A 204.46.43.22, A 204.46.43.60, A 204.46.43.118, A 204.46.43.39, A 204.46.43.71, A 204.46.43.198, A 204.46.43.162, A 204.46.43.84, A 204.46.43.158, A 204.46.43.100, A 204.46.43.232, A 204.46.43.138, A 204.46.43.9,[|domain]
что не пробовал так и не нашел что это....ну вот, это ампла
но по словам, даже рутрекер не справляется с атакой.