Syslog upon discarding a First/Opening State
-
Hi Forum,
I'd like to share an idea and also ask if it's possible.
We had a DDoS attack on our cluster (~1.000.000 unique hosts) which was practically SYN Flood towards a PAT'ed port
As such, states were overflown –> Downtime.
Regardless of our response to the incident (set aggressive mode / pfblocker etc), I was wondering if pf can inform us with a log upon a discarded connection attempt due to the timeout on the pf.first state..Of course, I understand we have a syslog during the SYN packet processing, but having the above log stream may allow us - during an SYN Flood DDoS attack - to identify the subset of the attackers and block them earlier in the path.
I would appreciate your opinion on this idea and if it is technically possible.
Kind regards,
Dimitris