With Suricata Running pfsense crashes when DDoS'ed
-
Hi
When Suricata is running, the FW crashes when DDoS'ed when hit with around 140K PPS.
Without it runs fine and is fairly resilient with a lot less strain on the CPU which is understandable.
The reason for the crash with Suricata seems to be the log writing speed. When hit then it cant keep up writing the logs and crashes.
I cant get any logs out from that point in time since its going very fast.
-
Isn't that the very definition of what a dos tries to do ?
If every incoming packet header receives a lot of CPU attention, like having it analysed by whatever user land process like Suricata, things will go bad. Writing logs for now, memory and missing processor capacity will be next.I was under the impression that Suricata would scan headers of packets that are part of an existing active connection, not every packets that drops in.
Or bind it to the LANs, not the WAN, as packets get dropped anyway and as fats as possible.It can be done, of course, but your "processing power pipe", has to be bigger as your WAN throughput pipe
-
@gertjan It is. Topping out at around 1gbit/s. Pipe is 10gbit/s.
Without Suricata running the FW fares well and load sit below 25% on CPU and 4% RAM.
When SC is running then it dies instantly. Both legacy and inline mode.
