Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    firewall goes down when i am under ddos attacks

    Scheduled Pinned Locked Moved Firewalling
    11 Posts 5 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      blackmetal
      last edited by

      Hello,
      i have a ddos protected uplink but its passing small attacks such as 80mbps udp and when i receive these udp attacks my firewall goes down and all of my states are full,
      is there anyway prevent this?
      thanks

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        You can alter the state timeouts in pfSense to make them much shorter, but honestly doubt it will do much good. Everything about a DDoS needs to be handled upstream. All the traffic should be taken care of upstream before it gets into your Internet pipe.

        1 Reply Last reply Reply Quote 0
        • B
          blackmetal
          last edited by

          my upstream make traffic clean for me for example the attack was about 4gbps but they passing 80mbps of that to me, they told me they can not clear it completely,
          so any other idea?

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @blackmetal
            last edited by bmeeks

            @blackmetal
            Other than reducing the state timeouts, no. I suspect you are getting a ton of connection requests on an open port perhaps. Are they targeting some service you don't need and can shut down? If you have no external ports open, then you should be getting no connections and thus no open states. What are you running with an open external port that uses UDP? A DNS server perhaps, or NTP server?

            1 Reply Last reply Reply Quote 0
            • B
              blackmetal
              last edited by

              i have blocked all ports expect 53 and 27015 but attacker find this and send attacks to this ports,

              bmeeksB 1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks @blackmetal
                last edited by

                @blackmetal
                Why do you need port 53 open inbound to you? That is for DNS lookups. Are you running a public-facing DNS server? If not, close that port on your WAN. You don't need it unless you have a public-facing DNS server. Port 27015 is typically for gaming.

                1 Reply Last reply Reply Quote 0
                • B
                  blackmetal
                  last edited by

                  port 53 is open for my dst ip and its for my user and he is hosting website and 27015 is for a game server

                  bmeeksB 1 Reply Last reply Reply Quote 0
                  • KOMK
                    KOM
                    last edited by

                    If you could stop a DDoS attack just by twiddling a setting, DDoS would not be a problem at all for anyone. Like what has been said before, this has to be handled upstream. If the bad traffic is getting to your WAN, you've already lost.

                    1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks @blackmetal
                      last edited by bmeeks

                      @blackmetal
                      Hosting a web site on UDP port 53 is quite out of the ordinary! Web traffic is usually TCP on port 80 or HTTPS on port 443.

                      As @KOM said, and like I mentioned in my first post, once DDoS traffic is at your WAN you are pretty much toast. Yeah, you can fiddle around a bit with state timeouts, but it is not likely to help much at all. @KOM summed it up perfectly, if a simple firewall tweak could stop a DDoS, then there would be no DDoS attacks because they would be totally ineffective.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Hosting a website on 53 udp is MORONIC!!!

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • GertjanG
                          Gertjan
                          last edited by

                          @blackmetal The only thing left to do is hosting your services using a host company that offers (very) good ddos blocking services.
                          Even for big companies, effectively filtering ddos attacks is the big problem these days. It ask for fast, adaptive equipment. ddos filter rules change all the time.
                          Hosting yourself behind a one-and-only land-line - added to that a static IP(s) : your "friends" have you focussed, and it so damned easy for them to nail you down. You're just a still siting duck right now.

                          No "help me" PM's please. Use the forum, the community will thank you.
                          Edit : and where are the logs ??

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.