CHARGEN ddos attack
-
i run a few gaming servers for fun with friends, lately ive getting some ddos attacks from some players that i banned, while searching about it, ive found a few websites that will let you ddos for free. (not sure posting the website here is acceptable)
while testing some of the attacks the "CHARGEN" type of attack was the only one that i couldn't block it from within pfsense as a matter of fact this type of atack would work on ports that are not even open (works on any port) is this possible to block from within pfsense ?
-
As far as I know, and I just Google'd about the subject. CHARGEN is just another kind of UDP bandwidth based reflection/amplification attack. In this case, the attacker(s) overwhelm the bandwidth to cause denial-of-service.
Unfortunately pfSense alone will not mitigate this. You need to contact your ISP and find if they can help you.
-
A firewall cannot stop "too much" traffic from arriving on your WAN. All it can do is block it when it arrives.
-
as i thought …. i had called my isp as soon as i found out what kind of attack it was unfornatelly they will not provide support or dont know how to provide support all they will tell you is to reboot my router to change my ip (i acctually had kinda fight with the atendant after hearing that stupid "solution") anyways seems ill have to live with it.
-
I don't know anything about DDOS attacks so this may not be helpful at all (probably won't be as you've already had responses from experienced people), but I'll put it out there in hopes it helps you out.
Could you use suricata and the Emerging Threats DDOS list to ban the attacking IPs?
emerging-dos.rulesthis type of attack would work on ports that are not even open (works on any port)
Again would some suricata rules that block IPs that hit your unused ports help?
drop tcp $EXTERNAL_NET any -> any !$MY_PORT (msg:"The Golden Rule, TCP"; classtype:network-scan; sid:9000; rev:1;) drop udp $EXTERNAL_NET any -> any !$MY_PORT (msg:"The Golden Rule, UDP"; classtype:network-scan; sid:9001; rev:1;)Those rules will drop anything not on your network on any port going to any IP on any port you aren't using.
You can modify/add variables if necessary in /usr/local/pkg/suricata/suricata_yaml_template.inc under the "vars:" section.
You'll need to add the $MY_PORT variable there as a list of the ports you use.
Syntax Example:# Holds the port group vars that would be passed in a Signature. port-groups: {$port_vars} MY_PORT: "[80, 443, 1024:65535]"Again, I know nothing about DDOS attacks so this may not work. If nothing else you could use the rules to build a list of offending IP's possibly to send to your ISP? Those two custom rules will in theory not generate any IP's that are "real" traffic (you might need to adjust variables to accommodate your servers? but I think they will work as is once you create $MY_PORT).
Check the link"Suricata Persistent Blocked Hosts List How To" in my signature if you are rebooting/shutting down a lot and need a persistent list.
You can also use the commands there to export your IP lists to file so you can send to your ISP.
pfctl -T show -t snort2c | gzip > /usr/local/etc/snort2c.gzYou might need to increase your Firewall Maximum Table Entries at System > Advanced > Firewall & NAT.
-
http://pfsensei.org/2015/04/02/a-cup-of-tea/
