DDoS attack - need help!
-
Hi there, I have a pfSense instance that has 1gbps symetric connection - I host game servers and recently I have a problem with one gameserver:
A random person attacks the server port (31128 in this case) and the pfSense instance hangs up - State table size goes over 2 million connections and CPU usage stays at 20%~ (6 core CPU) and WAN inbound is around 15mbps.
From what I've seen, the attack is UDP and only on that port but there are thousands of IP's on the log so I cannot block them manually - that's why I have installed pfBlockerNG but I still have this issue, seems like it is not blocking the attack.
Any help please? Thanks!
-
You cannot block DDOS at the firewall level efficiently. That has to be done upstream.
It isn't cheap.
-
@chpalmer said in DDoS attack - need help!:
That has to be done upstream.
Keyword "DDOS Scrubbing" by ISP
It isn't cheap.
Agree
-
If its a state exhaustion attack, that can be sometime mitigated at the firewall.. Are you trying to block countries they are coming from? Not sure what your tying to do with pfblocker.
Your going to have to show us what your trying to do with pfblocker.. Do you have a list of known bad IPs that are being used in the attack, a list of ASNs? IP ranges? IPs from countries? Create your alias that lists the ips you want to block and put it in front of your port forward on your wan rules.
IPS could be used to filter traffic based on some signature that distinguishes good traffic from bad traffic to the same port.
But as stated if its a volumetric attack - there is nothing you can do on the firewall.. A volumetric attack has to be mitigated upstream of your pipe, be it 1gig, 10gig or 100 even..