Unanalysable DoS attack



  • Hi,
    I am running pfSense as a HyperV VM to protect a server directly exposed to the internet.
    Recently the server suddely becomes unreachable from the Internet (no ping, no rdp, no smtp,… nothing) for some time every 2-3 days. Since the services are run in many different VMs (and they cannot become all busy at the same time) the problem should be pfSense handling an attack.

    Look at the attached screenshot that is from monitoring page.
    It has no sense. The downtime matches a region where the graph reports almost 0 pps, and the summary also report as maximum pps only few pps, but look at the popup!
    Millions of pps from IPv6 and IPv4! Even more incredible since my WAN has NONE IPv6 configuration (no dhcp, just none).

    Please help as I cannot figure out how to handle this.
    I am at disposal for any further info and logs.




  • Not "millions". It's a lower case "m" meaning milli, or thousandth. About a 1/3rd of a packet per second.



  • oh. didn't know that.
    At least the graph has sense now.
    But I still cannot understand why the server isn't reachable from the internet in that period.
    If very few packages reach the server even if they should, then there is a problem at my ISP level?



  • run an extended ping test from the unreachable host, from the pfsense box, from a different internal host, and from the last node before your ISP handoff, to the internet (say 8.8.8.8 for example). check the packet loss specifically just before, during, and after these events. If youre seeing any considerable packet loss across the board, its most likely an ISP issue. If youre seeing packet loss only on select hosts, start looking at the common route hops each host has with each other.

    If at all possible, also try a fancy PathPing from a windows box (or whatever the equivalent would be in linux) across the internet to the affected host. This should give you an even greater idea of what hop on the route is causing issues for inbound traffic.

    All of this data should present a VERY strong case to your ISP. Provide them will as much information as possible, including any graphs you have access to yourself.

    If you happen to have a SLA, even better, because this is grounds for service termination in most SLA's.



  • Thanks for the answer.
    The problem is that I cannot do that while the server isn't reachable.
    That's because pfSense VM and the other VMs all run in the same physical host, which for security reasons is not directly reachable from the internet but only through pfSense.
    Just think at the physical host as another PC on pfSense LAN.
    When this problem occurs, I cannot access nothing, not even the physical host (since RDP for example is NATted by pfSense), so I cannot gain access to pfSense login.

    Only solution I can think to is a cron that do the ping…



  • Talk a little about your internet connection and the equipment on site that provides it.

    Thats the kind of thing that can happen with this- https://forum.pfsense.org/index.php?topic=126200.0


Log in to reply