Max new connections / per second
We've been recently hit by a virus inside the company. One of our worker's computer got controlled by a botnet that launched a DDoS attack against a remote site. Since then, of course we did the usual cleaning stuff. On the moment of the attack, that infected machine was loading up our pfSense's state table by making a lot of rapid connections. We want to prevent this in the future by enforcing a method of connections rate limit on the "LAN -> !DMZ -> WAN" rule. We don't want to be too aggressive on this rule so that legitimate users don't get blocked uselessly. What is the recommended rate that we should apply? Is there a way to gather statistical usage on a normal working day to see the maximum connections that has been established from a single machine in a period of time?
Thanks for your support!