Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help me to detect and how to defence in this scenario

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 916 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L Offline
      littleghost
      last edited by

      We are facing with big problem. In normal scenario, the firewall has about 200Mbps traffic on UNSECURED_NETWORK interface. Now, it's has the same traffic but very much packet that we don't know what is it (about 200kpps). The network is dead and the active states increased too much. We make a rule to block any host with:
      Max. connections: 20
      Max. src. states: 20
      Max. src. conn. Rate:20
      Max. src. conn. Rates:30s

      This rule will be get 3Gb data for 3 mins but only few ip address were blocked (about 10).

      http://prntscr.com/ck529b (this image show current active state we get)
      http://prntscr.com/ck53yv (bandwitdth is ok but the network is dead)

      UNSECURED_NETWORK is WAN interface, it's will be transparent bridge with SECURED_NETWORK which directly connected with servers have public IP address
      http://prntscr.com/ck59pi (we do not have much rule. In basic, we only want to make a transparent firewall to monitor network before it come to public switch)

      We can't detect what is type of attack, how to block or how to defence. We hope someone can suggestion.
      Thank in advance.

      1 Reply Last reply Reply Quote 0
      • johnpozJ Online
        johnpoz LAYER 8 Global Moderator
        last edited by

        and what are in these packets?  What is the source and dest?  What is the protocol.. You got to give us more to go on here.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • L Offline
          littleghost
          last edited by

          We don't know what type of these packets, ntop report that 40% is http and https, 20% is unknown…. We don't have IDS system to detect it. The source and destination address have many problem:
          our network: 125.212.x.x
          source network: come from over the world
          destination network: 149.56.149.42
          You can see here: http://prntscr.com/ck6cjb

          Source and destination address aren't our IP address range. I don't understand why they there.

          1 Reply Last reply Reply Quote 0
          • johnpozJ Online
            johnpoz LAYER 8 Global Moderator
            last edited by

            well sniff and see..  your saying this 149.56.149.42 is not your IP block?  But traffic is being routed to you..  Well I would get with your ISP on why your seeing traffic to a IP this not yours.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.