Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Unanalysable DoS attack

    Firewalling
    4
    6
    964
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      loripino21 last edited by

      Hi,
      I am running pfSense as a HyperV VM to protect a server directly exposed to the internet.
      Recently the server suddely becomes unreachable from the Internet (no ping, no rdp, no smtp,… nothing) for some time every 2-3 days. Since the services are run in many different VMs (and they cannot become all busy at the same time) the problem should be pfSense handling an attack.

      Look at the attached screenshot that is from monitoring page.
      It has no sense. The downtime matches a region where the graph reports almost 0 pps, and the summary also report as maximum pps only few pps, but look at the popup!
      Millions of pps from IPv6 and IPv4! Even more incredible since my WAN has NONE IPv6 configuration (no dhcp, just none).

      Please help as I cannot figure out how to handle this.
      I am at disposal for any further info and logs.


      1 Reply Last reply Reply Quote 0
      • H
        Harvy66 last edited by

        Not "millions". It's a lower case "m" meaning milli, or thousandth. About a 1/3rd of a packet per second.

        1 Reply Last reply Reply Quote 0
        • L
          loripino21 last edited by

          oh. didn't know that.
          At least the graph has sense now.
          But I still cannot understand why the server isn't reachable from the internet in that period.
          If very few packages reach the server even if they should, then there is a problem at my ISP level?

          1 Reply Last reply Reply Quote 0
          • I
            isolatedvirus last edited by

            run an extended ping test from the unreachable host, from the pfsense box, from a different internal host, and from the last node before your ISP handoff, to the internet (say 8.8.8.8 for example). check the packet loss specifically just before, during, and after these events. If youre seeing any considerable packet loss across the board, its most likely an ISP issue. If youre seeing packet loss only on select hosts, start looking at the common route hops each host has with each other.

            If at all possible, also try a fancy PathPing from a windows box (or whatever the equivalent would be in linux) across the internet to the affected host. This should give you an even greater idea of what hop on the route is causing issues for inbound traffic.

            All of this data should present a VERY strong case to your ISP. Provide them will as much information as possible, including any graphs you have access to yourself.

            If you happen to have a SLA, even better, because this is grounds for service termination in most SLA's.

            1 Reply Last reply Reply Quote 0
            • L
              loripino21 last edited by

              Thanks for the answer.
              The problem is that I cannot do that while the server isn't reachable.
              That's because pfSense VM and the other VMs all run in the same physical host, which for security reasons is not directly reachable from the internet but only through pfSense.
              Just think at the physical host as another PC on pfSense LAN.
              When this problem occurs, I cannot access nothing, not even the physical host (since RDP for example is NATted by pfSense), so I cannot gain access to pfSense login.

              Only solution I can think to is a cron that do the ping…

              1 Reply Last reply Reply Quote 0
              • chpalmer
                chpalmer last edited by

                Talk a little about your internet connection and the equipment on site that provides it.

                Thats the kind of thing that can happen with this- https://forum.pfsense.org/index.php?topic=126200.0

                Triggering snowflakes one by one..

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post