# Pf fails to drop 50% of the UDP flood from single source



## benzedrine (Mar 12, 2014)

Hi,
I have a setup with 3 machines as follows:
A--->B--->C

Machine A: attacker
Machine B: firewall (pf)
Machine C: victim

I am transmitting UDP flood from A to C and expecting B to block the 50% of the UDP flood so that 50% of the flood is not sent to C.
I have the following rule in pf.conf on machine B:

```
# UDP_Flood prevention: Drop 50% of all port 69
block in log (all) quick on $ext_if proto udp to any port { 69 } probability 50%
```
On machine A, I perform the attacks using hping3. When I run hping3 to generate packets with random sources using the following:
`hping3 --flood --rand-source --udp  10.0.1.2 -p 69`
it works as expected and 50% of the traffic is blocked on B. However when I run hping3 to generate packets with the same source using the following command:
`hping3 --flood --udp  10.0.1.2 -p 69`
PF does NOT block the flood. All the traffic is passed to machine C which is not expected. Any ideas why PF works when the flood is from random source but does not work when it's from a single source?

Thanks in advance.


----------



## junovitch@ (Mar 12, 2014)

Perhaps the fact that it's the same source is causing PF to treat it as part of the same state.  What happens when you toss a "no state" at the end of the rule?


----------



## benzedrine (Mar 13, 2014)

The result didn't change when I add a "no state" at the end of the rule. Pf is still failing to block half of the udp flood traffic.


----------

