Advanced UDP filtering
-
Hi!
Before just going on "PFSENSE IS NOT A DDOS MITIGATION TOOL". I know.
However,
It has come to my attention, that I am recieving DDoS attacks on a port of mine that i cannot switch out.
http://prntscr.com/i3j40gAll hitting port 27025 (A Gameserver)
I have multiple networks running (One that is independent from this PFSense installation)
As far as I know, the attack is actually not filling the pipe with garbage, which means, it's just filling up my "Stable table size", leaving my PFsense box unuseable.
I have been trying with PFblocker to block all countries, however, this still means PFsense has to process it, and is not super effective with larger attacks.
Is there anyhow, I can filter those UDP packets? I see from that screenshot above they all use the same size, is there no way to block packets by size?
Sorry for asking this probaly insanely stupid question, I just saw someone having the same issue on here (filled stable table size)
Thanks
-
Mess with "Firewall Adaptive Timeouts" under "System/Advanced/Firewall & NAT"
You can also tweak "State Timeouts (seconds - blank for default)" in the same area. You could reduce the "UDP Single" timeout. I think it defaults to 30sec.You may also want to look into tweaking these in loader.conf.local
Their values should be a power of two and equal-to or larger-than your state table size. They will consume more memory, but not sure how much. I have 8GiB of memory and no proxy/IDS, so I'm not concerned.net.pf.states_hashsize=524288
net.pf.source_nodes_hashsize=524288You also might want to create/alter a rule for that incoming port and rate limit how quickly states can be created. While it may not allow new people to connect, it would allow current states to continue to live without your state table blowing up.
Just some ideas.
-
For your last part:
Can I rate limit UDP ports? I thought that is only for TCP?
Where do I find this file:
loader.conf.localI have only recently began to work with PFsense
I also have 8GB (DDR2) memory in my box hosting pfsense.
-
I was incorrect about UDP state rate limiting. It is TCP only. The logic must not be about states but about SYN packets.
/boot/loader.conf.local
-
Hi again.
Thanks for all help.
With all of this, I still havent seemed to get it to filter some of it.
However, is there anyway I can see how many pps theres comming in? my ISP asks for this.