Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    firewall goes down when i am under ddos attacks

    Firewalling
    5
    11
    333
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      blackmetal last edited by

      Hello,
      i have a ddos protected uplink but its passing small attacks such as 80mbps udp and when i receive these udp attacks my firewall goes down and all of my states are full,
      is there anyway prevent this?
      thanks

      1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks last edited by

        You can alter the state timeouts in pfSense to make them much shorter, but honestly doubt it will do much good. Everything about a DDoS needs to be handled upstream. All the traffic should be taken care of upstream before it gets into your Internet pipe.

        1 Reply Last reply Reply Quote 0
        • B
          blackmetal last edited by

          my upstream make traffic clean for me for example the attack was about 4gbps but they passing 80mbps of that to me, they told me they can not clear it completely,
          so any other idea?

          bmeeks 1 Reply Last reply Reply Quote 0
          • bmeeks
            bmeeks @blackmetal last edited by bmeeks

            @blackmetal
            Other than reducing the state timeouts, no. I suspect you are getting a ton of connection requests on an open port perhaps. Are they targeting some service you don't need and can shut down? If you have no external ports open, then you should be getting no connections and thus no open states. What are you running with an open external port that uses UDP? A DNS server perhaps, or NTP server?

            1 Reply Last reply Reply Quote 0
            • B
              blackmetal last edited by

              i have blocked all ports expect 53 and 27015 but attacker find this and send attacks to this ports,

              bmeeks 1 Reply Last reply Reply Quote 0
              • bmeeks
                bmeeks @blackmetal last edited by

                @blackmetal
                Why do you need port 53 open inbound to you? That is for DNS lookups. Are you running a public-facing DNS server? If not, close that port on your WAN. You don't need it unless you have a public-facing DNS server. Port 27015 is typically for gaming.

                1 Reply Last reply Reply Quote 0
                • B
                  blackmetal last edited by

                  port 53 is open for my dst ip and its for my user and he is hosting website and 27015 is for a game server

                  bmeeks 1 Reply Last reply Reply Quote 0
                  • KOM
                    KOM last edited by

                    If you could stop a DDoS attack just by twiddling a setting, DDoS would not be a problem at all for anyone. Like what has been said before, this has to be handled upstream. If the bad traffic is getting to your WAN, you've already lost.

                    1 Reply Last reply Reply Quote 0
                    • bmeeks
                      bmeeks @blackmetal last edited by bmeeks

                      @blackmetal
                      Hosting a web site on UDP port 53 is quite out of the ordinary! Web traffic is usually TCP on port 80 or HTTPS on port 443.

                      As @KOM said, and like I mentioned in my first post, once DDoS traffic is at your WAN you are pretty much toast. Yeah, you can fiddle around a bit with state timeouts, but it is not likely to help much at all. @KOM summed it up perfectly, if a simple firewall tweak could stop a DDoS, then there would be no DDoS attacks because they would be totally ineffective.

                      1 Reply Last reply Reply Quote 0
                      • johnpoz
                        johnpoz LAYER 8 Global Moderator last edited by

                        Hosting a website on 53 udp is MORONIC!!!

                        1 Reply Last reply Reply Quote 0
                        • Gertjan
                          Gertjan last edited by

                          @blackmetal The only thing left to do is hosting your services using a host company that offers (very) good ddos blocking services.
                          Even for big companies, effectively filtering ddos attacks is the big problem these days. It ask for fast, adaptive equipment. ddos filter rules change all the time.
                          Hosting yourself behind a one-and-only land-line - added to that a static IP(s) : your "friends" have you focussed, and it so damned easy for them to nail you down. You're just a still siting duck right now.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post

                          Products

                          • Platform Overview
                          • TNSR
                          • pfSense
                          • Appliances

                          Services

                          • Training
                          • Professional Services

                          Support

                          • Subscription Plans
                          • Contact Support
                          • Product Lifecycle
                          • Documentation

                          News

                          • Media Coverage
                          • Press
                          • Events

                          Resources

                          • Blog
                          • FAQ
                          • Find a Partner
                          • Resource Library
                          • Security Information

                          Company

                          • About Us
                          • Careers
                          • Partners
                          • Contact Us
                          • Legal
                          Our Mission

                          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                          Subscribe to our Newsletter

                          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                          © 2021 Rubicon Communications, LLC | Privacy Policy