First keep calm and check your firewall/router state table:
fw1:~# pfctl -si | grep current
current entries 421356
Here we have a state table with much more entries than usual (400K instead of 100K). There is very probably an ongoing attack.
Which IP is targeted ?
For this task i use this script:
fw1:~# fw1:~# pfctl -ss | top_states.pl
62.210.216.82 (387654)
62.210.119.54 (1544)
62.210.216.10 (900)
62.210.216.13 (864)
...
The targeted IP will have an abnormally large number of entries. Here the winner is 62.210.216.82
On which port ?
fw1~# pfctl -ss | grep -- "-> 62.210.216.82" | awk '{print $5}' | sort -n | uniq -c
200307 62.210.216.82:80
Classic HTTP Flood attack.
At this point we have two possibilities:
- limits the number of simultaneous connections to the targeted IP
- block any access to the targeted IP
The first solution is appropriate in case of small scale attack. The latter is more extreme but has the advantage to not put at risk the rest of the network.
Limit the number of simultaneous connections
Add the following rule before the one authorizing the port 80:
pass in quick on $ext_if proto tcp to 62.210.216.82 port http keep state (max 10000)Then kill all the supernumerary state entries:
fw1:~# pfctl -k 0.0.0.0/0 -k 62.210.216.82
fw1:~# pfctl -k 62.210.216.82
Block any access
Add the following rule:
block in quick on $ext_if to 62.210.216.82Then kill all the supernumerary state entries:
fw1:~# pfctl -k 0.0.0.0/0 -k 62.210.216.82
fw1:~# pfctl -k 62.210.216.82