Possible DOS/DDOS Attack



  • Hi

    Not the type of guy to throw the "Subject" words about like a 12 year old on Xbox.

    But just curious to some happenings as of late. Seems now n then, my Landing Page for PFSense with 403 me for about 1-5 Minutes not allowing Internet Connection nor LAN Access to the Firewall HTTP Page.

    Few questions.

    Does this sound like an Attack of some kind, also

    Does PFSense if ran in PPPOE Mode protect to an extent or better than an Consumer Router?

    Is this considered a Breach or just something else?

    FYI: This is the 3rd time in roughly 1/2 weeks this is has happened.

    2/3 it has self repaired and Services was restored. Last one was a Forced Reboot.

    Thanks


  • LAYER 8 Global Moderator

    A 403 error??  Makes no sense.. Have never seen such an error from pfsense.  And you say it just clears up??  What is in the pfsense logs after you have such an issue



  • I might be incorrect about 403, this is going from Memory last night.

    I haven't checked the Logs as far as im aware, it only keeps 50 Records and being as i had to Hard Reboot that state would of been lost?

    or am i wrong?

    But yes, on previous counts, nothing could Access the Internet nor the Internal HTTP Page for anywhere between 1 Minutes to 5 Minutes.

    Thanks


  • LAYER 8 Global Moderator

    well lets be clear on the error you seeing - how about a screenshot.  And just because you have it set to 50 in the gui, lot more logs are there.  And you can always bump the gui log up..  Why would your log be lost on a reboot?  Are you running nanobsd or something?



  • Hi.

    Well, a print screen is hard to get since this isn't a regular happenings, which is even more suspicious, meaning its less likely to be failure of Hardware or other.

    and i will fish through the logs, but i can bet you, unless i change the Verbose Level, it will most likely show me nothing other than the fact stuff is breaking or going horribly wrong.

    When the Internet Fails & the HTTP Web Mgmt Page fails, this is clearly an Exhaustion of some kind.

    Thanks

    If this helps, i can most likely guarantee this is happening via the WAN.


  • LAYER 8 Global Moderator

    Exhaustion of what - your state table?  How?  So look on your monitor graphs - is the interface pegged?  With blocked traffic?  Is some other box on your network saturating the line and keeping pfsense busy?  What does the CPU monitor graph show after it comes back?




  • Hi John

    I would love to tell you that when the "Incident" happens, but i cannot Access the HTTP GUI as Per Prev Post. so i cannot see anything of any nature hence my Assumption, as it cannot serve me my request to, otherwise this wouldn't be an issue persay..

    As that Graph, could you Kindly tell me how you have enabled that?

    Thanks


  • LAYER 8 Global Moderator

    Its enabled out of the box.. And can you can see history, so even when your gui is not available you can go in after and check information on was the cpu pegged.. You can look at your bandwidth being used on your interfaces.  Etc.. etc..

    Its under status monitoring.  Lots of info you can view there for if your resources were tied up while you were having issues.  Where you having packet loss, your states, etc. etc..  And then again what was in your logs after you get back access?  During the period you were having issues.

    Even if the wan was down you should be able to get to your gui.. So unless the CPU was pegged, or something crashed on pfsense you should be able to get in.. Maybe just unbound crashed and you had no dns - so you browser error was just could not resolve your pfsense fqdn you were trying to access?

    Not much can help you with figuring out what happens with no info to work with.



Log in to reply