Pfsense freeze at DDoS attack - Tuning?
-
FOUND IT!
Thanks mate! ;)
-
FOUND IT!
Thanks mate! ;)
In case others wonder
Advanced->Firewall/NAT->Firewall Adaptive Timeouts
-
Any progress of this? We are currently testing different attack scenarios and settings and currently we can make pfsense survive the floods but only barely.
-
Supermule, at what rates and what type of CPU?
-
Currently seeing 7,5mbit and 140K states and the pipe becomes unstable using ping….
-
We could test againt http://store.netgate.com and see how robust it is??
I mean we report something and no reply at all to what can be done to make it more robust/resistent.
-
Its a weekend man - I'm sure they will be getting back with you Monday. No need to DDOS their stores I think. haha
-
I wouldnt do that, but hey…. what to do to get their attention to this pretty important issue :)
-
I imagine they want to give their GFs and wives a little personal time sometimes…
Maybe there is currently no fix? Nothing to say? Things are always quieter on the forum weekends...
Plus in texas where a few of the main guys are located, its like EARLY morning.
-
Only the earliest bird cataches the fattest worms ;)
-
DDOS'n someone else's servers is probably a great way to get the FBI involved.
-
Its for testing purposes :D
No harm done. They sell it, we test it against what they have….
No crime involved :D
-
For me it looks like the attack bypass the syncookie feature, and then causing this massive ACK from pfsense = too much to handle… crash...
-
I got an out-of-the-box install on my pfsense, and I got no custom WAN firewall/rules, I also got no vpn_WAN rules either, can any1 link me a guide for that?
Im alone in my household and I only use WAN for outgoing DNS and for establishing an openvpn connection.
-
A DDOS guide for WAN rules and OpenVPN? What? Are you in the correct thread?
-
What are your WAN firewall rules? By default, PFSense should be dropping incoming data, not responding to it.
Im wondering about this reply, since it suggests that rules are needed for wan interface.
-
What are your WAN firewall rules? By default, PFSense should be dropping incoming data, not responding to it.
Im wondering about this reply, since it suggests that rules are needed for wan interface.
If you want to listen for connections, which is why I asked because DDOS attacks have different characteristics if you accept connections than if you don't.
-
You can kill a pfsense FW even if no rules are applied on WAN…and thats weird.
-
?? Are you saying this specifik SYN flood kills the firewall with states even if you have no PASS rules on the WAN interface? So it accepts the packet and creates a state even though it should be blocked?
I'm worried about this issue! Still no word or reply from the pfsense guy's?
-
I think it doesn't actually create a state, I think it adds a route according to one person's idea of what's going on.
