How to prevent DDOS using Snort?



  • someone attacked my router last night and i want to defend it using snort i need some suggestions how to set it up properly to prevent ddos.


  • Netgate

    Attacked how?

    Snort can't defend against what is usually called a DDoS (flooding your link with packets from distributed sources) because by the time it arrives it's too late to do anything about it.



  • @derelict said in How to prevent DDOS using Snort?:

    Attacked how?

    Snort can't defend against what is usually called a DDoS (flooding your link with packets from distributed sources) because by the time it arrives it's too late to do anything about it.

    do you have any suggestion how i can prevent any attacks sir?


  • Netgate

    If it is a true DDoS there is nothing you can do but go upstream and have them try to block it.



  • this PFBlocker and snort are useless?


  • Netgate

    To a DDoS consisting of traffic overwhelming your interface yes, they are useless.

    Look. The traffic is already there. Your "pipe" is already full. Any action taken on your side of the interface cannot change that. All it can do is drop it which is the default behavior of the firewall.

    You might get some relief by disabling logging of dropped packets in Status > System Logs, Settings, Log firewall default blocks but that won't do anything to stop the traffic - just might reduce the load on the firewall in processing it.


  • Rebel Alliance Global Moderator

    When you say attacked - this means what exactly to you?? You saw some blocked hits in your firewall? How do you know your router was attacked last night?

    I could say my router gets attacked every few seconds - if you look in your firewall log and think that every unsolicited hit is an "attack" ;)

    They like to attack the common ports, 23, 22, 3389, 80, 1433 - loads and loads of attacks ;) Or what normal people would call noise.. The internet is FULL of it...

    Look at all the noise ;)
    0_1539282642435_noise.png



  • I saw many TCP connections/IP coming to my WAN public IP port 8080 9pm to 11:30 pm 11:35 pm the internet became normal again. from 30-40 ping my ping goes up to 1000 2000 3000 we are dead last night. my ntopng is not working last night because of the new updates.

    I want to know how can i prevent those incoming flood to my WAN public IP.


  • Netgate

    Do you have rules on WAN passing traffic to that port? Do you know what is on 8080 on WAN?

    You are getting bad information because you called it a DDoS.

    The very first thing I asked was "Attacked how?"


  • Galactic Empire

    Just to give us an idea post a screenshot of the bottom of Status -> System Logs -> Firewall -> Summary View.

    Here's mine I only have 3000 ish drops in total.

    0_1539287574336_Screenshot 2018-10-11 at 20.51.45.png



  • 0_1539288089617_f8472c05-294f-465b-af83-ad03b3cf2e8e-image.png

    0_1539288150598_97423e2a-68d7-4d18-a557-2ee40776362f-image.png



  • @derelict said in How to prevent DDOS using Snort?:

    Do you have rules on WAN passing traffic to that port? Do you know what is on 8080 on WAN?

    You are getting bad information because you called it a DDoS.

    The very first thing I asked was "Attacked how?"

    what should i do sir?


  • Netgate

    Please answer the questions asked for starters.


  • Galactic Empire

    no 8080 there, have you cleared the firewall logs ?

    But as Derelict mentioned in his first post if it is a DDoS there isn't much you can do apart from talking to your ISP.



  • @derelict i dont have a RULES for that port. im using the default rules.


  • Netgate

    Then the connections would have been being blocked and there's not much you can do but talk to upstream to stop it.

    Hard to imagine someone sending enough TCP SYNs to a blocked port to be a problem though.



  • @derelict said in How to prevent DDOS using Snort?:

    you can do but talk to upstream to stop it

    what do you mean by upstream? "you can do but talk to upstream to stop it"
    Internet provider?


  • Netgate

    Yes.



  • this PFBlockerNG and Snort are useless ? can i just close my WAN ports?

    Thank you So much.


  • Netgate

    You said they WERE closed.

    Post your WAN rules.


  • Rebel Alliance Global Moderator

    Unless you created a port forward, or running openvpn or something where the wizard would all traffic on your wan to port vpn listen on ALL unsolicited traffic to your wan is dropped/blocked out of the box.

    Please post your wan rules as asked, and actually state why you feel you were attacked? A couple hundred hits? Is that even your WAN.. the 5353 and 1900 are most likely broadcast traffic from your lan side.. Or its BS noise from your ISP layer 2 on your wan.



  • 0_1539350384030_8fffb162-ccbe-4355-9edf-7803559b84b9-image.png

    0_1539350399837_46af302c-90ab-4476-a473-4b19e397d31a-image.png


  • Galactic Empire

    Any floating rules ?



  • 0_1539350616775_0e5eddd1-b250-4aed-97e4-37a16aa47e02-image.png


  • Rebel Alliance Global Moderator

    The rules on your wan are pointless!!! All interfaces have default deny on them.. Its pointless for those rules unless you have turned off default logging and just want to log those ports and pings.

    And again where is this attack?, I see nothing in your logs but some very LOW level amount of noise...



  • @johnpoz said in How to prevent DDOS using Snort?:

    The rules on your wan are pointless!!! All interfaces have default deny on them.. Its pointless for those rules unless you have turned off default logging and just want to log those ports and pings.

    what should i do sir ? delete the port 80 and 443 rules? to avoid incoming SYN flood to my WAN IP?


  • Rebel Alliance Global Moderator

    What? They are pointless in that fact that they are dropped by default... There is no reason for those rules unless you had turned off default logging of default rule and wanted to log them as see you have enabled logging on the rules.

    Those have ZERO to do with any SYN flood ;)

    Again where is this attack? If you had say 1000 hits in a second or something you might have something to investigate... But you have nothing but very very low amount of typical noise in your logs.



  • @johnpoz sorry noob question where i can check if i got 1000 hits per seconds ? maybe im just curious last night ?



  • Hey @jlee18 , I am actually incl. the snort block getting approximately about 0 to 3/4(/short times maybe max10) hits per second. After these there is at least a Minute where is often not even one lonely hit (log-alert, under snort or even system logs -> firewall log)

    Many are ET or Portscans automatically blocked by pfSense (with or without snort, for example as the firewall blocks incomings on WAN by default)

    As I worked it out this is all the normal "background noise".

    If I am surfing the WWW the "hits" (alerts, blocks and so on) increase radically but even if there is nothing online (TV off, Printer on standby, any PC or Smartphone "off") there are at least 500 hits per 12 hours on my WAN. All "normal" as suggesting as Portscans, "trial and error brake-ins" or as I guess security look-offs (trying to find malicious or malware-spreading Command & Control-Hosts or similars...)

    That nerves, yes. But aint my Business so my Firewall blocks em and that's all at least I can do about :-D

    I didnt read the Thread all again but read it several Days ago (sorry for that!)
    But I just wanted at least give you an answer on how to at least get an overview of how many hits per second might get produced on your Firewall.

    As mentioned: I get between 0 and max10. Sometimes there's even a minute nothing happening on WAN and than there is a hit every 20 seconds or even every minute. And very rarely there seems to be combined operations or "randomly happened hits" which can reach up to lets say maximum 10/hits per second (for just a few seconds)

    I am noob as you and just wanted to share my experience with you. If you got any further questions, here's the right place to state them. :-)

    BTW I got an own thread where now nobody answered for 2 1/2 Days but it's okay...gotta read more about and (hopefully) worked it correctly out for me :-D