Help : one machine bringing down the entire LAN subnet
-
Hi,
My company is using a pfsense 1.2.3 machine as router and firewall. Everything used to work fine until recently, where all connectivity is lost on the LAN interface ( which is on a VLAN, if it matters ). After quite some time troubleshooting, I isolated the problem, if I connect one machine on the lan, the entire lan is no longer responsive. I can ping the default gateway, which is the lan interface of the pfsense machine, but the connectivity is so bad that I need to refresh the web page 10+ times to be able to see the pfsense admin. Nothing passes the router, Unpluging the guilty machine resolves the problem instantly and nothing special appear in the pfsense system logs.
The machine guilty of bringing everything down has been connected for long and was working fine until a few days.
All the lan machines are connected to the pfsense machine through the same two switches.
The only two thing that make this machine special on pfsense is that it has a fixed IP address association in the DHCP server, an outgoing access to three more ports than the others.
Does anyone have a clue or a similar experience ?
-
Perhaps you should start a packet capture on pfSense and then connect this purticular computer to the network, to get an idea of what kind of traffic it's propagating and why this traffic would case issues on your pfSense device?
Andreas
-
Thanks, that's actually a great suggestion. I did provide interesting results.
The machine spams the network with requests on a specific IP address, belonging to a company selling DDOS protection, which seems legit. "Black Lotus Communications". The machine must have a backdoor installed used to perform DDOS attacks.
-
Glad to hear you managed to find the cause.
It's a bit concerning however that the spam traffic from the affected computer seems to bring pfSense to more or less a halt.
pfSense can't prevent the traffic from hitting its LAN interface by itself, but have you tried creating a firewall rule which denies this computer access to WAN altogether, to see if that helps, as this will at least stop pfSense from having to route this traffic?
Andreas
-
If the machin is spamming to an suspect IP address cut it from the network, save all data on the mahcine, check them for viruses and trojans and then kill the machin and do a reinstallation.
The problem ist not pfsense or your network - it is the maleware!