Slow network download. Is pfsense under attack? please help me

mauro.tridici

Dear Users,

during the last two weeks, I noticed that network performance degrade dramatically.
A test host in behind the firewall can send data to internet without problem (very good bit rate), but it is not able to download similar data from internet with the expected throughput (we have two 10Gbps ISP links).

We checked everything: hardware status, configuration, bgp, rules and so on. The only thing I can see is that pfsense seems to be under attack. It seems a scan attack or a SYN flood DOS attack, but I'm not an expert and I'm not sure I understand correctly what is happening.

Could you please take a look at the attached firewall logs?
What is your idea/suggestions?
If pfsense i under attack, how to mitigate it?

Thank you in advance,
Mauro

firewall-logs.txt

stephenw10

That doesn't look like a particularly high traffic rate. < 10 connection a second.

Check the Status > Monitoring graphs for the WAN. Look at the in-block rates for traffic and packets. If you are (or were) under some sort of attack it will be obvious there.

mauro.tridici

@stephenw10 thank you

Unfortunately, I'm not able to see in-block rates in Status -> Monitoring.
I'm using v.2.7.0 CE

Thanks

stephenw10

Why not? What do you see?

Screenshot 2024-06-13 at 00-57-09 pfsense.fire.box - Status Monitoring.png

mauro.tridici

Hi @stephenw10 , this is what I see

Screenshot 2024-06-13 at 10.06.25.png

Gertjan

@mauro-tridici

You see the wrench - top bar ion the right side ?
Click it !
Select the info you want to see.

mauro.tridici

Hi @Gertjan , thank you very much for your help.
Now I can see the graph I need, but I'm still a newbie and I'm not able to understand if these values can be related to a suspicious DDOS attack or not.

What's your idea? This is the graph with the in-block info.
Thank you in advance,
Mauro

Screenshot 2024-06-13 at 11.01.05.png

Gertjan

This post is deleted!

Gertjan

@mauro-tridici

What about uncluttering the info shown ?

Example :

First : The right axis : set it to None.

Then, remove every "pass" graph by clicking on the colored circles, leaving only "blocking".

What you will see is what's been blocked ...
What I see is a bit of "the internet's usual back ground noise traffic". Nothing out of the ordinary.

To see what a DOS is, use this as a guide line.
So, start nagging 'them' and as soon as you draw there attention, be prepared, and have a second identity ready.

stephenw10

Look at the inblock numbers. The maximum you're seeing (in that screenshot) is 27kbps. So basically nothing.

Sometimes you can see an attack that is low total bandwidth but a high number of tiny packets so check the pps in block value too. However at 27kbps you are not seeing that either.

mauro.tridici

@stephenw10 @Gertjan thanks, I found that the problem is an hardware problem. I will open a new case about backup and restore.

see you later :)
Mauro