Max State Entries Per Host



  • Hi All,

    We had an attack last night that saw our state entries hit the max of 816000. We have 'Maximum state entries per host' set to 30000 on the floating incoming rule.

    After reading it seems that the max state entries per host only counts incoming connection IPs and then blocks those. In an attack involving for example a few thousand servers all SPAMming us with low bandwidth packets this is not effective.

    We would prefer destination host to have their state entries counted also so that only it would be affected rather than all our local hosts by such an attack.

    Is such a thing possible? We can't even determine which IP was being attacked as the PFSense was essentially uncontactable during the attack.

    Also surely it should be possible to reserve connections/states for the PFSense admin?

    Any help on how to approach this to prevent it reoccurring would be really helpful.

    Thanks,
    Will



  • Not an answer to your question, but related. PFSense out of the box uses the standard TCP timeouts, which are absurdly long lived(https://doc.pfsense.org/index.php/Advanced_Setup) for unestablished connections. Like 30 second timeout for opening connections. 60 seconds for first packet, 30 seconds for "opening". It's pretty crazy when you realize that 99.9999% of computers use a TCP stack that give up after 24 seconds.

    Depending on the attack, you may benefit right off the bat from setting the first/opening timeouts to 25 seconds, which is the default TCP 3 attempts with exponential backoff, plus one second. The next thing is to change the configuration in the firewall to reduce the TCP timeouts on a linear scale as the state table gets fuller. I forget where this is, but you set a "starting" and "ending" where starting will leave your timeouts about 100% and ending your timeouts are about 0%, meaning the TCP states clear out very quickly.

    The other big issue with PFSense(FreeBSD) is one of the internal algorithms to clean up old states is O(MN) scaling, which means if you have a lot of incoming IP addresses with lots of states, your firewall dies trying to clean up the states. Think of 1000 IPs with 1000 states, that's 1mil operations just to clean up a single state. A 1ghz CPU could at most only clean up 1,000 states per second, and that's assuming all operations take only one second.

    The next thing to do is reduce your number of max states to something legitimate traffic may actually produce with a bit of buffer. The good news is a large company that deals with DDOS attacks and uses FreeBSD as their firewall is working on fixing these issues. They want to make DDOS attacks a volume only issue, not someone with a 1Mb/s DSL taking down a 100Gb/s firewall.