Keep getting hit with random attacks
-
As the title states I keep getting hit with random attacks that some how bypass pfsense entirely and hit my wifi router.
Most recently I was streaming on twitch and the attack wasn't big or long but it did take out my network I had to reset everything and was forced to call my ISP and have them "refresh" the line to get connectivity back.
A sample of one of them is (DoS Attack: RST Scan] from source: 24.105.., port 80, Tuesday, December 26, 2017 21:21:05)
About 11 packets were captured by the net gear before connectivity dropped.I edited the Ip to protect the 3rd party that it came from as I had contacted their legal department about 20 minutes ago.
Another example is
[DoS Attack: ACK Scan] from source: 8.42.., port 443, Tuesday, December 26, 2017 16:40:09
Every time this happens their small fast bursts I only capture 10-15 packets that drop my connectivity entirely I have updated all the rule sets for snort etc is there anything I can manually set in the firewall rules for it to catch these before the hit my wifi router and drop the packets?
I am on a 50meg connection and I can handle some but this is so small scale but still effective some how and I do not understand how the packets are bypassing pfsense entirely and hitting my net gear router directly.
These IP's for the time that the burst happens stay the same then the next time they hit me they change and all I can seem to get off my logs is maybe 10 or 15 log entries before the connection dies.
Any help or suggestions would be appreciated as this is very annoying and happens multiple times a week I am almost at the point of getting a partnership and getting paid for my streaming but with this happening I cant fulfill requirements.
Side note I have tried setting max connections as per another guide but if the packets are bypassing pfsense entirely I don't see how I can change the settings to make that specific setting work.
-
By default, new connection attempts from the Internet and out-of-state packets are dropped. How are they getting past pfSense in the first place? If you wifi even behind pfSense? Did you open up a bunch of ports or something? Out of the box, this should not be an issue. You changed something and we need to know what you changed. A diagram of your network and a screen-shot of your WAN firewall rules would be nice.
-
Or its his wifi router he is running as double nat behind pfsense misreporting traffic. That would be my guess.
-
I have Nat disabled on my netgear WNR2000v5 and it is current on firmware
my network is as follows
Cable Modem>Pfsense>Router
I attached a screenshot of my default Wan setup the only 2 things I did custom were PFBlockerNG and Snort.
I don't see how it could be misrepresenting traffic from a service I have not used or connected to in 10 days which would be the 24 ip Blizzard Entertainment and the other Ip I refuse to use their services after they messed me over big time which was GoDaddy my home policy since some bad garbage I went through as a teen has always been and always will be if you are not using it close it and disconnect.

 -
24.105 and 8.42 are owned by Blizzard and Level 3 respectively. And the ports in use are standard HTTP ports that your device connected to.
I had a Netgear device that would claim "DOS" attacks from something as simple as someone attempting to connect to a few ports like 21, 22, 80, 443.. ZOMG! DDOS! Just log spam to make it look it it's doing something useful. Probably just a false positive. Now what is your WNR2000v5 doing making connections to Blizzard and Level 3? If it's not, then what is and why is your Netgear getting traffic for another device?
I am curious as to what about your network is broken. You said you have to call your ISP to reset something? Sounds like nothing to do with your personal equipment, but maybe your modem? If it continues to be a problem, you may want to exchange for another modem. I know when I had Charter a long time ago, I could swap modems whenever.
-
24.105 and 8.42 are owned by Blizzard and Level 3 respectively. And the ports in use are standard HTTP ports that your device connected to.
I had a Netgear device that would claim "DOS" attacks from something as simple as someone attempting to connect to a few ports like 21, 22, 80, 443.. ZOMG! DDOS! Just log spam to make it look it it's doing something useful. Probably just a false positive. Now what is your WNR2000v5 doing making connections to Blizzard and Level 3? If it's not, then what is and why is your Netgear getting traffic for another device?
I am curious as to what about your network is broken. You said you have to call your ISP to reset something? Sounds like nothing to do with your personal equipment, but maybe your modem? If it continues to be a problem, you may want to exchange for another modem. I know when I had Charter a long time ago, I could swap modems whenever.
Yea I know its from Blizzard the main problem is I have not been connected to them like I stated in 10 days I haven't used a single service of theirs what so ever and the problem with the network after I receive these packet "bursts" I loose all connectivity usually a quick reset on my routers work and its back up and running but for some reason last night there was still high latency so I called Charter and they called it a "line refresh" but I know they sent a reset signal through the line. (I worked for sprint installing Satellite DSL for a short time until i was fed up with their policies in the bay area of California)
I just had my cable modem replaced for some reason the one I had the tech said it was causing static on the line showed me his meter readings plugged the new one in had it approved for the account then took new readings and it cleared up and my bandwidth was more stable afterwards it wasn't until recently when I had to ban someone from one of my servers that these problems started happening he threatened to DDoS me get my accounts banned etc I reported him to everyone I could with logs of proof.
One of the companies I work with for my servers/services asked me if they could forward my information to his ISP with their detailed report of the problems he was causing along with the threats I told them I would rather them be the ones to deal with it if they needed to contact me they could do it through a conference call.
I was hit randomly with random packets lagged me out then they stopped when I found out he was on "holiday" for a week he got home yesterday and it started again we have a mutual friend that warned me ahead of time he was going to be home and about 3 hours after the contact that's when the problems happened again and why I decided to reach out here to see if there were any additional settings or reasons he would some how be bypassing pfsense and hitting my router directly.
I mean honestly if there isn't anything else I could possibly set to stop these packets and just have to accept them then I might file a police report when it happens again and seek out help from the feds as he is international, I doubt they would be able to do much as he hasn't cost me more than 10k in damages yet but every minute I am not able to stream due to this that is potential money lost.
-
Well small update I reset pfsense back to default everything reinstalled snort and pfblocker and while I was streaming I was hit again for probably 10 minutes strait it caused some latency I jumped to a 800 ping at first then I noticed packets being dropped in pfsense and my latency dropped down to a manageable rate.
I'm not sure if I accidentally changed something I shouldn't have but its running smoothly now!
-
Oh my GAWD those pfblocker rules are utterly pointless since you have no port forwards… The default rule on wan block.. You have no port forwards so those rules saying hey your from asia block are pointless!!!
It only makes sense to block like that when you have a port forward open - and you don't xyz to be able to get to your port forward below it.
You have your "router" behind pfsense - not doing NAT... So its an AP??? When would its firewall even come in to play then to be able to report on traffic??
Not exactly sure what your seeing - but I would be multiple BTC that its not some sort of attack.. That is for damn sure!! Your game company is attacking you?? Yeah Ok
-
It's most likely the filesharing options in your game launcher(s) that effectively turns you computer to a torrent seeder for game updates you have downloaded, if you don't tune those properly for your available bandwidth you will get DOS'ed by everyone downloading the same updates.
Do yourself a favor and turn all of those off, bittorrent is nice in theory but nobody with a sane mind should allow it by default on game updates and the like.