Am I being DoS attacked?

furom

Hi,

this sounds really bad and don't know what to make of things... I notice that my streamed music suddenly went "choppy" during a few seconds and then went back to normal. Below graph shows my WAN;

At the lowest point, where it normally is, its about ~ 3-400 Kb/s. So what could be the cause for such a thing? I didn't see anything weird in the log not normally there...

It has happened a few times before, but long in between.

Thanks

SteveITS

@furom I would think any actual DoS attack is going to be more than a few seconds. I have seen plenty of things that cause issues...my "favorite" was at a client where a Mac would occasionally (once a month or so) upload something big and cause massive packet loss on the Internet for a while. We finally tracked it down by its MAC address. User had no idea, therefore we assumed a backup or similar. IIRC we gave it a DHCP reserved IP and de-prioritized its uploads.

If you're logging blocks from the default block rule it would show in the firewall log. We generally turn that off unless we're troubleshooting something since it's just a lot of noise.

stephenw10

That is pass inbound on the WAN so you have some firewall rules on the WAN allowing it. What are they?

furom

@steveits said in Am I being DoS attacked?:

In this case it has previously not shown anything in my logs, have been logging blocks, but show nothing to support what I hear... So back to the question... Would it be a possibility, however unlikely?? 2.7 Mbit is not very much though and should not have such an impact...

furom

@stephenw10 said in Am I being DoS attacked?:

That is pass inbound on the WAN so you have some firewall rules on the WAN allowing it. What are they?

Most definitely not?! That is way beyond anything intentional if that is really the case... I have no rules in WAN other than default, then a floating for blocking outbound RFC1918 to WAN

This is all my WAN rules;

And the floating RFC1918 block;

stephenw10

Then likely replies to outbound connections from something. Not a DoS attack in that case.

I would expect to see some outbound traffic at the time but perhaps you just disabled that on the graph?

furom

@stephenw10 said in Am I being DoS attacked?:

Then likely replies to outbound connections from something. Not a DoS attack in that case.

I would expect to see some outbound traffic at the time but perhaps you just disabled that on the graph?

Unfortunately I did disable that. Now when I go back I see nothing at the same timestamp... :(

stephenw10

Not even a tiny increase? It only required minimal outbound traffic to request a much larger replies.

furom

@stephenw10 said in Am I being DoS attacked?:

Not even a tiny increase? It only required minimal outbound traffic to request a much larger replies.

Think I managed to create a view that shows it, not so great with these graphs. It is based on the same data as the first, but custom and just showing the hour it happened;

Looks to me as if "delay average" dipped at the time, whatever that is?

stephenw10

That's the ping time to the gateway so it's not like it caused increased WAN latency.

The outpass total value is what I'd be looking at there and it's too small to see in that graph.

furom

@stephenw10 said in Am I being DoS attacked?:

That's the ping time to the gateway so it's not like it caused increased WAN latency.

The outpass total value is what I'd be looking at there and it's too small to see in that graph.

Agreed. Just so strange, and a little unsettling... Can I add some sort of logging that can be left running if it should happen again?

furom

@furom This may help some?

stephenw10

Not really. That's pretty much what I'd expect to see for that level of downloading.

Basically it looks like something in your network downloaded something. Not especially unusual.

furom

@stephenw10 That's at least something good then. The stuttering is a bit annoying, but happens rarely so if there is nothing else that ought to be done, I'll let it be then. Thanks

stephenw10

You'd only really expect it to cause issues with other traffic if it was filling the available WAN bandwidth. You might just not be seeing the actual peak there because of the averaging in the RRD graphs.

furom

@stephenw10 That may be so of course. Where would I find the data graphs are generated from? Perhaps it will give some more details?

NightlyShark

@furom Just to add my 2 cents here, proprietary streaming services (and we all know who we are talking about, for music at least) can sometimes create TCP tunnels that pass a UDP stream on the inside. And, in some cases, this could lead to dropped states (the firewall closes the connection because it considers it to be stale) because the keep-alive of the service is too low, coupled with a fast connection that has loaded the whole song or podcast longer than the keep-alive of the connection.

Maybe try changing the state policy of PfSense to conservative (System->Advanced->Firewall and NAT->Packet Processing->Firewall Optimization Options)?

furom

@nightlyshark Thanks, that can be an option. But as is now it happens rarely so was more interested in finding the cause if possible. I will remember this if it gets worse though :)

stephenw10

@furom said in Am I being DoS attacked?:

Where would I find the data graphs are generated from? Perhaps it will give some more details?

You can find the rrd files the graphs are generated from in /var/db/rrd but there will not be any more data there than the graphs can display. The purpose of RRD is to retain older data at lesser resolution.

furom

@stephenw10 Oh, thanks. Was for a bit hoping the opposite... :)