DDoS protection with pfSense
-
@erick51 Its hard and needs seriuos hardware.
Its packet related (PPS) and not traffic itself.
If the traffic is forwarded to the gameserver, then its not a FW problem.
-
Hello there, @Cool_Corona.
Would a dedicated computer running pfSense be enough to deal with those packets?
Do you recommend any reading material where i can learn more about this? -
@erick51 Depending on the specs.
The real problem here is logging and the write speed if the logs.
They are not quick enough in Suricata among other things.
Suricata can detect it and block it, but not fast enough.
-
@cool_corona it would be a 7th gen intel i7 (not sure about the model but its a laptop I’m not using) with 16gb ddr4 ram and 240GB Nvme.
Im kinda new to this firewall stuff so I’m trying to learn how to protect my network. -
@erick51 Its a steep learning curve regarding DDoS.
There is a lot of other issues surrounding it that needs to be in place to.
-
@erick51 said in DDoS protection with pfSense:
Right now i have a 2.5Gbps fiber connection
Don't bother : whatever you do on your side, you can be put out of business very easy.
The solution is : an infinite bandwidth, and some really heavy equipment to deal with blocking IP or even entire networks. Both are, if it existed, not affordable;
You have 2,5 Gbit down ? For a couple of $ or € I can rent a ddos service that fills up your 'pipe' to the max. I don't care if you 'handle' packets on your side. The pipe is full, nothing else, like regular users, can't pass through.
And things get even worse, if you host your own services, your ISP might call you and say :Listen, we like you as a customer, you paid your bills etc etc etc but inbound traffic is overwhelming, our equipment is melting and other users start also to suffer, so, regretful, we have to cancel our services on our side. Have a nice day.
I'm not saying that these guys have the solution, neither that this brand is ok, but read this :
https://www.ovhcloud.com/en-ca/security/anti-ddos/
Just look what they have put in place to protect their == your server.DDOS protection needed equipment that isn't affordable if you do it yourself.
IMHO : it's far easier to rent a server for 50 $ ( ?) a month, and know that you will be able to be on-line and available even when "they" throw Terra bytes at you.Hosting a server @home is ok, but you should invite only people that you know. Like : the ones you talk with IRL. The ones you trust. As soon as you let a 'Kevin', and 'Kevin' becomes unhappy, it's game over.
Remember : it's 2022. -
@gertjan Not entirely true.
Together with a group of guys in Bulgaria, we downed OVH easily in may this year.
Its advertising BS from their side.
You can mitigate a DDoS using pfsense if you configure state handling the right way and disable the logging and desktop widget in pfsense.
When Suricata is disabled you can easily mitigate 8-9 gbit/s on pfsense.
Doing it frequently at customer sites.
-
@cool_corona said in DDoS protection with pfSense:
we downed OVH
Which one ? http://weathermap.ovh.net/ (only showing Europe, not the world).
OVH was just an example. I understand that they won't publish the exploit that was putting them of the grid.Anyway, you proofed my point in two ways :
- Who "has the biggest" matters.
- Its soooo easy to push down trough your pipe the maximum it can handle. Fine, you 'accept' the packets on your side, and you discard them right away. Every DDOS packet received can not be a packet of a real client.
Infrastructure on the other, ISP side, some where at their location, will also get impacted.
ISPs are not there to give you an "Internet connection", they are there to make money. So they won't get the biggest, greatest, and latest on protection.Btw : what use if you can handle xxxx Gbits/sec if traffic comes in at 2.5 Gbits/sec ??
-
@gertjan We didnt use bandwith intensive DDoS senarios.
It was all packet per second related using different patterns of traffic and protocols.
You can down anything if the logging is substantial and that process is not optimized together with a very fast storage subsystem.
And that is the achilles heel of pfsense.
-
@gertjan i understand bandwidth is the main issue when it comes to DDoS, but as i said, the max traffic I’m getting is around 600Mbps. We are in South America and paying for a decent attack here is quite expensive. They are using free booters to attack my server and it really bothers me that i cant protect myself even from small attacks like that.
As i said before, I’m no expert and eanted to know if I’m not wasting my time and resources bu setting up a pfSense to mitigated it. -
@erick51 You can. But it takes experience and knowledge.
And you need hardware with dual Xeon proc. to cope.