Slow network download. Is pfsense under attack? please help me

mauro.tridici · Jun 12, 2024, 9:18 PM

Dear Users,

during the last two weeks, I noticed that network performance degrade dramatically.
A test host in behind the firewall can send data to internet without problem (very good bit rate), but it is not able to download similar data from internet with the expected throughput (we have two 10Gbps ISP links).

We checked everything: hardware status, configuration, bgp, rules and so on. The only thing I can see is that pfsense seems to be under attack. It seems a scan attack or a SYN flood DOS attack, but I'm not an expert and I'm not sure I understand correctly what is happening.

Could you please take a look at the attached firewall logs?
What is your idea/suggestions?
If pfsense i under attack, how to mitigate it?

Thank you in advance,
Mauro

firewall-logs.txt

stephenw10 · Jun 12, 2024, 10:08 PM

That doesn't look like a particularly high traffic rate. < 10 connection a second.

Check the Status > Monitoring graphs for the WAN. Look at the in-block rates for traffic and packets. If you are (or were) under some sort of attack it will be obvious there.

mauro.tridici · Jun 12, 2024, 10:13 PM

@stephenw10 thank you

Unfortunately, I'm not able to see in-block rates in Status -> Monitoring.
I'm using v.2.7.0 CE

Thanks

stephenw10 · Jun 13, 2024, 8:07 AM

Why not? What do you see?

🔒 Log in to view

mauro.tridici · Jun 13, 2024, 8:07 AM

Hi @stephenw10 , this is what I see

🔒 Log in to view

Gertjan · Jun 13, 2024, 8:42 AM

@mauro-tridici

You see the wrench - top bar ion the right side ?
Click it !
Select the info you want to see.

🔒 Log in to view

mauro.tridici · Jun 13, 2024, 9:04 AM

Hi @Gertjan , thank you very much for your help.
Now I can see the graph I need, but I'm still a newbie and I'm not able to understand if these values can be related to a suspicious DDOS attack or not.

What's your idea? This is the graph with the in-block info.
Thank you in advance,
Mauro

🔒 Log in to view

Gertjan · Jun 13, 2024, 10:14 AM

This post is deleted!

Gertjan · Jun 13, 2024, 10:26 AM

@mauro-tridici

What about uncluttering the info shown ?

Example :

🔒 Log in to view

First : The right axis : set it to None.

Then, remove every "pass" graph by clicking on the colored circles, leaving only "blocking".

What you will see is what's been blocked ...
What I see is a bit of "the internet's usual back ground noise traffic". Nothing out of the ordinary.

To see what a DOS is, use this as a guide line.
So, start nagging 'them' and as soon as you draw there attention, be prepared, and have a second identity ready.

stephenw10 · Jun 13, 2024, 1:24 PM

Look at the inblock numbers. The maximum you're seeing (in that screenshot) is 27kbps. So basically nothing.

Sometimes you can see an attack that is low total bandwidth but a high number of tiny packets so check the pps in block value too. However at 27kbps you are not seeing that either.

mauro.tridici · Jun 13, 2024, 1:24 PM

@stephenw10 @Gertjan thanks, I found that the problem is an hardware problem. I will open a new case about backup and restore.

see you later :)
Mauro