Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] DDos-Protection

    Scheduled Pinned Locked Moved Firewalling
    15 Posts 8 Posters 20.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      user12
      last edited by

      Hi!

      I got a webserver behind my pfSense, both port 80 and 443 are NATed, but usually users are redirected using HTTPS as a default.

      My question is: What can I do for DDos-Protection? I already installed snort, which is listening on the DMZ-interface.
      Plus I've seen that I can set a max. number of connections for the NAT-Rule, which is working (I've tried, I wasn't able to open more than x connections to the site with my browser).
      Is that a sensefull thing to do? Limiting it to 100-200 connections would perfectly satisfy my needs, there won't be more than this number of connections at a time…

      Edit: Max number of states is what I mean.
      Is there a difference to maximum nr of connections?

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        My question is: What can I do for DDos-Protection?

        Nothing.  If the world's largest online corporations can't protect their assets from DDoS (think Pokemon Go, PS4 network, XBox network, etc) then what do you think you're going to do?  IDS/IPS are useless against DDoS because the traffic is already hitting your WAN.

        1 Reply Last reply Reply Quote 0
        • K
          kpa
          last edited by

          The issue is that the DDoS is going to clog your connection before you have any chance to react it and even if you manage to react you can't limit the traffic coming your way because your upstream router is going to keep sending those packets regardless of what your firewall does.

          1 Reply Last reply Reply Quote 0
          • U
            user12
            last edited by

            Ok… so there is absolutely no tricks or anything, one can do against it?
            I remember hosters marketing their "Anti-DoS"-Routers ...

            1 Reply Last reply Reply Quote 0
            • KOMK
              KOM
              last edited by

              I remember hosters marketing their "Anti-DoS"-Routers …

              I remember people selling the Golden Gate bridge…

              The only solution to DDoS is upstream help from your ISP when you get hit, or some service like CloudFlare to avoid it before it hits.  They have much-larger pipes & infrastructure than you and only they are in a position to filter the storm.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Why does this same question seem to come up every few weeks..

                There is NOTHING you can do about a volumetric dos at the end of the pipe, ie your firewall.  If the pipe is full the pipe is full..  Nothing you do to the packets as they come your end means anything..  Be it you try and process them or just plain drop them.. The pipe is full..

                Only measure against such attack is to move up the stream to where the pipe is fatter than your pipe, and keep the traffic from going down your small pipe.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                • U
                  user12
                  last edited by

                  Ok, I see… it's more a unchangable (in some way at least) physical problem.
                  Thanks for your help!

                  1 Reply Last reply Reply Quote 0
                  • H
                    Harvy66
                    last edited by

                    @kpa:

                    The issue is that the DDoS is going to clog your connection before you have any chance to react it and even if you manage to react you can't limit the traffic coming your way because your upstream router is going to keep sending those packets regardless of what your firewall does.

                    Depends on what you mean by DDOS. There are asymmetric resource attacks against the FreeBSD network stack that only requires a few megabits of traffic per second and not even to fill up the state table and  it will take down an 8 core Xeon with a 10Gb uplink. O(NM) algorithms, effectively O(N^2) in DDOS, are very bad in the network stack. Think of it this way. If you have a state table size of 1mil and someone sends the right kind of traffic, a single packet with that O(NM) scaling can consume 1,000,000,000,000+ clock cycles. I don't know about you, but my computer can't afford to spend 1 trillion cycles per packet.

                    If a single person with a DSL connection and the ability to spoof source addresses can take down your entire 40Gb network, the software needs to be fixed. At least one person in the FreeBSD community is working on fixing FreeBSD's DDOS issues. Rule of thumb for firewall/routers, if you run out of CPU before bandwidth, the code is poorly designed.

                    1 Reply Last reply Reply Quote 0
                    • KOMK
                      KOM
                      last edited by

                      Yeah, good answer John.  Wish I would have thought of that and said it  ;D

                      1 Reply Last reply Reply Quote 0
                      • P
                        pedropt
                        last edited by

                        check this link : https://javapipe.com/iptables-ddos-protection

                        does this work ?

                        1 Reply Last reply Reply Quote 0
                        • KOMK
                          KOM
                          last edited by

                          Those techniques will work against attacks that try to use features/bugs of your TCP/IP network stack to make the system unresponsive due to exhausted resources.  It won't do anything about DDoS due to oversaturated links.

                          1 Reply Last reply Reply Quote 0
                          • M
                            Mr. Jingles
                            last edited by

                            @KOM:

                            I remember hosters marketing their "Anti-DoS"-Routers …

                            I remember people selling the Golden Gate bridge…

                            Thanks for the laugh  ;D

                            6 and a half billion people know that they are stupid, agressive, lower life forms.

                            1 Reply Last reply Reply Quote 0
                            • C
                              crookiecookie
                              last edited by

                              There are some things you can do to mitigate some attacks

                              Geoip blocking its not foolproof but can cut down alot of attacks

                              Be sure to whitelist ips of update servers, google, lets encrypt etc to be sure to continue receiving the services

                              If your not serving clients in some countries block the whole country

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by johnpoz

                                1st post jump into a 2 year old thread with junk... Welcome <rolleyes>

                                You didn't even bother to read the 2 year old thread your reply too? What part do you not get about the PIPE is full did you not understand. Blocking IRAN or Russia at the end of the pipe at your firewall does ZERO!!!

                                Post like that makes me miss the smite button ;)

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                1 Reply Last reply Reply Quote 0
                                • C
                                  crookiecookie
                                  last edited by

                                  This post is deleted!
                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.