How to prevent DDOS using Snort?

Derelict

Please answer the questions asked for starters.

NogBadTheBad

no 8080 there, have you cleared the firewall logs ?

But as Derelict mentioned in his first post if it is a DDoS there isn't much you can do apart from talking to your ISP.

jlee18

@derelict i dont have a RULES for that port. im using the default rules.

Derelict

Then the connections would have been being blocked and there's not much you can do but talk to upstream to stop it.

Hard to imagine someone sending enough TCP SYNs to a blocked port to be a problem though.

jlee18

@derelict said in How to prevent DDOS using Snort?:

you can do but talk to upstream to stop it

what do you mean by upstream? "you can do but talk to upstream to stop it"
Internet provider?

Derelict

Yes.

jlee18

this PFBlockerNG and Snort are useless ? can i just close my WAN ports?

Thank you So much.

Derelict

You said they WERE closed.

Post your WAN rules.

johnpoz

Unless you created a port forward, or running openvpn or something where the wizard would all traffic on your wan to port vpn listen on ALL unsolicited traffic to your wan is dropped/blocked out of the box.

Please post your wan rules as asked, and actually state why you feel you were attacked? A couple hundred hits? Is that even your WAN.. the 5353 and 1900 are most likely broadcast traffic from your lan side.. Or its BS noise from your ISP layer 2 on your wan.

jlee18

NogBadTheBad

Any floating rules ?

jlee18

johnpoz

The rules on your wan are pointless!!! All interfaces have default deny on them.. Its pointless for those rules unless you have turned off default logging and just want to log those ports and pings.

And again where is this attack?, I see nothing in your logs but some very LOW level amount of noise...

jlee18

@johnpoz said in How to prevent DDOS using Snort?:

The rules on your wan are pointless!!! All interfaces have default deny on them.. Its pointless for those rules unless you have turned off default logging and just want to log those ports and pings.

what should i do sir ? delete the port 80 and 443 rules? to avoid incoming SYN flood to my WAN IP?

johnpoz

What? They are pointless in that fact that they are dropped by default... There is no reason for those rules unless you had turned off default logging of default rule and wanted to log them as see you have enabled logging on the rules.

Those have ZERO to do with any SYN flood ;)

Again where is this attack? If you had say 1000 hits in a second or something you might have something to investigate... But you have nothing but very very low amount of typical noise in your logs.

jlee18

@johnpoz sorry noob question where i can check if i got 1000 hits per seconds ? maybe im just curious last night ?

BSA66

Hey @jlee18 , I am actually incl. the snort block getting approximately about 0 to 3/4(/short times maybe max10) hits per second. After these there is at least a Minute where is often not even one lonely hit (log-alert, under snort or even system logs -> firewall log)

Many are ET or Portscans automatically blocked by pfSense (with or without snort, for example as the firewall blocks incomings on WAN by default)

As I worked it out this is all the normal "background noise".

If I am surfing the WWW the "hits" (alerts, blocks and so on) increase radically but even if there is nothing online (TV off, Printer on standby, any PC or Smartphone "off") there are at least 500 hits per 12 hours on my WAN. All "normal" as suggesting as Portscans, "trial and error brake-ins" or as I guess security look-offs (trying to find malicious or malware-spreading Command & Control-Hosts or similars...)

That nerves, yes. But aint my Business so my Firewall blocks em and that's all at least I can do about :-D

I didnt read the Thread all again but read it several Days ago (sorry for that!)
But I just wanted at least give you an answer on how to at least get an overview of how many hits per second might get produced on your Firewall.

As mentioned: I get between 0 and max10. Sometimes there's even a minute nothing happening on WAN and than there is a hit every 20 seconds or even every minute. And very rarely there seems to be combined operations or "randomly happened hits" which can reach up to lets say maximum 10/hits per second (for just a few seconds)

I am noob as you and just wanted to share my experience with you. If you got any further questions, here's the right place to state them. :-)

BTW I got an own thread where now nobody answered for 2 1/2 Days but it's okay...gotta read more about and (hopefully) worked it correctly out for me :-D