firewall goes down when i am under ddos attacks

  • Hello,
    i have a ddos protected uplink but its passing small attacks such as 80mbps udp and when i receive these udp attacks my firewall goes down and all of my states are full,
    is there anyway prevent this?

  • You can alter the state timeouts in pfSense to make them much shorter, but honestly doubt it will do much good. Everything about a DDoS needs to be handled upstream. All the traffic should be taken care of upstream before it gets into your Internet pipe.

  • my upstream make traffic clean for me for example the attack was about 4gbps but they passing 80mbps of that to me, they told me they can not clear it completely,
    so any other idea?

  • @blackmetal
    Other than reducing the state timeouts, no. I suspect you are getting a ton of connection requests on an open port perhaps. Are they targeting some service you don't need and can shut down? If you have no external ports open, then you should be getting no connections and thus no open states. What are you running with an open external port that uses UDP? A DNS server perhaps, or NTP server?

  • i have blocked all ports expect 53 and 27015 but attacker find this and send attacks to this ports,

  • @blackmetal
    Why do you need port 53 open inbound to you? That is for DNS lookups. Are you running a public-facing DNS server? If not, close that port on your WAN. You don't need it unless you have a public-facing DNS server. Port 27015 is typically for gaming.

  • port 53 is open for my dst ip and its for my user and he is hosting website and 27015 is for a game server

  • If you could stop a DDoS attack just by twiddling a setting, DDoS would not be a problem at all for anyone. Like what has been said before, this has to be handled upstream. If the bad traffic is getting to your WAN, you've already lost.

  • @blackmetal
    Hosting a web site on UDP port 53 is quite out of the ordinary! Web traffic is usually TCP on port 80 or HTTPS on port 443.

    As @KOM said, and like I mentioned in my first post, once DDoS traffic is at your WAN you are pretty much toast. Yeah, you can fiddle around a bit with state timeouts, but it is not likely to help much at all. @KOM summed it up perfectly, if a simple firewall tweak could stop a DDoS, then there would be no DDoS attacks because they would be totally ineffective.

  • LAYER 8 Global Moderator

    Hosting a website on 53 udp is MORONIC!!!

  • @blackmetal The only thing left to do is hosting your services using a host company that offers (very) good ddos blocking services.
    Even for big companies, effectively filtering ddos attacks is the big problem these days. It ask for fast, adaptive equipment. ddos filter rules change all the time.
    Hosting yourself behind a one-and-only land-line - added to that a static IP(s) : your "friends" have you focussed, and it so damned easy for them to nail you down. You're just a still siting duck right now.

Log in to reply