Syslog upon discarding a First/Opening State

  • Hi Forum,

    I'd like to share an idea and also ask if it's possible.

    We had a DDoS attack on our cluster (~1.000.000 unique hosts) which was practically SYN Flood towards a PAT'ed port
    As such, states were overflown –> Downtime.
    Regardless of our response to the incident (set aggressive mode / pfblocker etc), I was wondering if pf can inform us with a log upon a discarded connection attempt due to the timeout on the pf.first state..

    Of course, I understand we have a syslog during the SYN packet processing, but having the above log stream may allow us - during an SYN Flood DDoS attack - to identify the subset of the attackers and block them earlier in the path.

    I would appreciate your opinion on this idea and if it is technically possible.

    Kind regards,

