Pfsense freeze at DDoS attack - Tuning?
-
There is an option in PFSense that has a linear reduction in state live time after a threshhold. I'm not at home to look at it, but I think it's under advanced or something in the general settings.
In my case, I have it set to 3mil state, with a 4mil hard cap. So after 3mil states are created, the live time of those states will keep reducing at more states get added. By the time 4mil states exist, if a state isn't refreshed almost immediately, the state will get killed as being "old".
Another idea that popped into my head, I have no practice in these kinds of issues, but it seems as if the client machine is ACKing all of those SYNs, as it should. Would rate limiting new connections per client be an acceptable trade-off, assuming it can be done at a per client level.
Another possibility could be rate limiting via traffic shaping, how much bandwidth SYN packets get for that customer.
Just throwing around ideas.
I forgot to reply you! :-\ thanks for the tips! :)
I will try playing with those states, if others have better ideas let us know :) -
Its not to be found under system -> advanced…
-
It's where ever you set max states, I think. I forgot to check when I got home yesterday….. Definitely in the menu at the top left.
-
FOUND IT!
Thanks mate! ;)
-
FOUND IT!
Thanks mate! ;)
In case others wonder
Advanced->Firewall/NAT->Firewall Adaptive Timeouts
-
Any progress of this? We are currently testing different attack scenarios and settings and currently we can make pfsense survive the floods but only barely.
-
Supermule, at what rates and what type of CPU?
-
Currently seeing 7,5mbit and 140K states and the pipe becomes unstable using ping….
-
We could test againt http://store.netgate.com and see how robust it is??
I mean we report something and no reply at all to what can be done to make it more robust/resistent.
-
Its a weekend man - I'm sure they will be getting back with you Monday. No need to DDOS their stores I think. haha
-
I wouldnt do that, but hey…. what to do to get their attention to this pretty important issue :)
-
I imagine they want to give their GFs and wives a little personal time sometimes…
Maybe there is currently no fix? Nothing to say? Things are always quieter on the forum weekends...
Plus in texas where a few of the main guys are located, its like EARLY morning.
-
Only the earliest bird cataches the fattest worms ;)
-
DDOS'n someone else's servers is probably a great way to get the FBI involved.
-
Its for testing purposes :D
No harm done. They sell it, we test it against what they have….
No crime involved :D
-
For me it looks like the attack bypass the syncookie feature, and then causing this massive ACK from pfsense = too much to handle… crash...
-
I got an out-of-the-box install on my pfsense, and I got no custom WAN firewall/rules, I also got no vpn_WAN rules either, can any1 link me a guide for that?
Im alone in my household and I only use WAN for outgoing DNS and for establishing an openvpn connection.
-
A DDOS guide for WAN rules and OpenVPN? What? Are you in the correct thread?
-
What are your WAN firewall rules? By default, PFSense should be dropping incoming data, not responding to it.
Im wondering about this reply, since it suggests that rules are needed for wan interface.
-
What are your WAN firewall rules? By default, PFSense should be dropping incoming data, not responding to it.
Im wondering about this reply, since it suggests that rules are needed for wan interface.
If you want to listen for connections, which is why I asked because DDOS attacks have different characteristics if you accept connections than if you don't.