Anyone experience high Download usage on WAN even if there is no users?
-
@tjsas1 what is the traffic. Again blocking has nothing to do with it, the interface still "sees" the traffic even if the firewall blocks it.
Do a quick sniff, if its that much traffic should be very easy to see what it is from only a short sniff.
What does the firewall say it is from the block - what source IP(s) what port what protocol? tcp/udp?
It is not unheard of for some gamer to try and dos a fellow player..
-
-
@tjsas1 said in Anyone experience high Download usage on WAN even if there is no users?:
Its a UDP from an external IP to my public IP.
What UDP port? Is it all the same external IP is it always the same port? Could be you had 53 (dns) open at one time? Could be your part of a p2p cloud?
Here is the the thing, there is nothing pfsense can do to prevent inbound traffic to it.. You either need to fix the whatever on the outside that might be pointing to your IP in the first place.. Or you need to change your IP.. (this can normally be done via changing the mac of your device - pfsense can set a different mac address via the clone feature).. And then get another IP from your isp.
Or you need to contact your isp if its excessive inbound traffic that you do not want, and have no idea why, etc.
-
@johnpoz from multiple same ip with port 11211 to my port 80.
Its dedicated IP that I dont use for any hosting. -
@tjsas1 said in Anyone experience high Download usage on WAN even if there is no users?:
11211
The source port would be random, unless the same session from that device. UDP to port 80, so quic? In your sniff, I would download and open in say wireshark so you can see exactly what the traffic is asking for, what is the payload of it, etc.
You sure you have the direction correct on the ports, you sure its not something answering you from their port 80 to your IP on that port?
Could you post up what exactly your seeing. Sure hide part of your public IP. What would be great is the sniff of this traffic.. You can remove your IP from the sniff, etc. Here is a good tool for sanitizing sniffs before posting to make sure your public IP is not listed, etc.
-
@johnpoz I see it now the following are causing the issue.
I am just not sure why blocking the IP won't work
-
@tjsas1 said in Anyone experience high Download usage on WAN even if there is no users?:
I am just not sure why blocking the IP won't work
Because the traffic has already gone down your connection too you.. Its blocked by default anyway.. All unsolicited traffic inbound to the wan is dropped by default. There is nothing you can do about the amount of traffic sent to your IP. It has already gone down your connection and used up your bandwidth, be it your device (firewall) processes it or not, its already used up your bandwidth. The only way to stop a volumetric attack is at your isp before it is sent down your connection using up your pipe.
So you wrangled your public IP to 192.168.1.5? Would be nicer to clearly make that made up, like 1.2.3.4 or something ;)
Did you also wrangle the source IP? Coming from India owned IP. That ip is listed as static.vnpt.vn
inetnum: 223.185.28.0 - 223.185.31.255 netname: MOHALI-UN descr: Bharti Airtel Limited, Plot Number 21 Rajiv Gandhi Technology Park In Bharti Airtel Campus, I T Park, Chandigarh - 160001 country: IN;; QUESTION SECTION: ;223.185.30.123.in-addr.arpa. IN PTR ;; ANSWER SECTION: 223.185.30.123.in-addr.arpa. 7047 IN PTR static.vnpt.vn.There is a known dos attack using memcache. That 11211 port
https://www.cloudflare.com/learning/ddos/memcached-ddos-attack/
If you can not easy change your IP, I would get with your ISP about that traffic.
-
If you really experience some kind of "dos attack" : Look at the first 10 video's here.
Now you know what can be done.
Change your WAN IP. Keep your new IP hidden by using a VPN client for all your outgoing traffic. No one will find your WAN IP, as it is a VPN IP, and you can change that with a click of your mouse. You will not receive - or very few random - unwanted traffic. Just the usual 'Internet noise'.
Don't make enemies on the Internet. There will always be people that will find you, and try to saturate your access the net.
You can even try this : Go visit your ISP, and ask them the access to their routers / firewall. Now you will be able to select what traffic goes to you.
-
thanks everyone. This is really a learning time. I really appreciate your responses.
-
@tjsas1 problem is isp most likely will do nothing about it, unless this was a business line and you have ddos protection with them (normally not free)..
Your best bet is prob get your IP changed, if you can not do it locally by altering your pfsense mac address on its public interface. Then get with your ISP and asking them change your IP, because your seeing inbound dos traffic - send them the sniffs you did showing the traffic, etc. And any info you can gather about amount. I wouldn't hide your public IP in those sniffs ;)
Problem is with such traffic is nothing you can do at your end, other then changing your IP..
internet -- isp --- 10mbps connection --- you
If the internet is sending you 10mbps of traffic, and filling up your pipe.. There is really nothing you can do at your end.. The traffic be it you drop it on your end or not, is still using up your connection. Its a common misconception to what a firewall can do.. Now if there was say 1mbps of traffic and it was being sent to your server behind your router/firewall and this 1mbps of traffic was hurting your servers performance - then you could filter that from being sent on to your server. But as long as the traffic is sent, your connection would still see the 1mbps of traffic.. You need to stop the traffic from being sent to you down your limited connection. This is either done at the isp end, or you need to change your IP so that traffic to 1.2.3.4 doesn't go down your connection.
Other option ;) Get a fatter connection heheh.. If you had 1gig, and they were only sending 10mbps - then it wouldn't be a problem.. But if sending 1gig, you have the same problem.
