Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    State Table DoS - SYN_SENT connections all over the place!?! Help me!!!

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      zimmy6996
      last edited by zimmy6996

      Good morning community ... I'm running in to a problem the last 30 days or so, and need to help to solve it. For about the past 3 weeks, I've seen this trend where i'm getting whacked on the state table with stuck connections. Basically, it appears that its some sort of NMAP scanning, or some now script kiddie tool that is making waves on the internet. For some reason, it has really started to cause headaches for me.

      First, off, let me show you my state table counts ...

      04e012a5-7ad3-4afe-9cdd-2b44e3e9305d-image.png

      As you can see, sometime around the 26th of september, this started to rear it's head. And the past week has got out of hand.

      Yes the 700K state spike yesterday, I definitely was able to see it's was 3 hosts that were just hammering away at me. What is happening is it leaves all these sessions in a SYN_SENT state. The sessions in the state table all relate to ports where we have valid services open. We blocked the traffic upstream, and it stopped.

      Is there something I can be doing on the firewall side to handle this? Im guessing im not the only one to see this situation happening. I run a 8GB RAM pfsense firewall so the max table is about 800,000, but when this thing pushes in to 7K range, it starts going sideways ...

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        Snort or Suricata can protect against SYN floods and other similar DoS attacks.

        1 Reply Last reply Reply Quote 0
        • Z
          zimmy6996
          last edited by

          675f4941-7fd8-40a1-83db-646e629dff2f-image.png

          Example of the types of connections that come in. There will be loads of them, coming from a handful of IP's. It's clearly a port scanning issue. Its just there is something new about the latest scripts running, because it's causing the connections to hang.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            There is a currently been a flood of syn traffic, I am seeing large spike in such traffic - many coming from HK, but have seen others from Malta, etc.

            Yeah open services would always be open to such attacks. As mentioned IPS could help in preventing this from being forwarded in to your end device.

            Or can just block it with firewall, I blocked all access to 443 from anything other then US currently

            edit: BTW... I just looked and yesterday in that 24 hours period had 54k hits to 443 that were denied because IP was not US, and another 44k to ports 8080 from all sources.

            hitsyesterday.png

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 1
            • Z
              zimmy6996
              last edited by

              I'm going CRAZY here! I don't understand why this has never been a problem until about 30 days ago ... Here is a perfect example of what is happening ....

              WAN tcp 47.74.56.139:57289 -> 74.112.73.42:443 SYN_SENT:ESTABLISHED 1 / 4 40 B / 176 B
              LAN2 tcp 47.74.56.139:57289 -> 74.112.73.42:443 ESTABLISHED:SYN_SENT 1 / 4 40 B / 176 B
              WAN tcp 47.74.56.139:55885 -> 74.112.73.105:587 TIME_WAIT:TIME_WAIT 1 / 4 40 B / 172 B
              LAN2 tcp 47.74.56.139:55885 -> 74.112.73.105:587 TIME_WAIT:TIME_WAIT 1 / 4 40 B / 172 B
              WAN tcp 47.74.56.139:58651 -> 64.4.202.128:25 SYN_SENT:ESTABLISHED 1 / 5 40 B / 220 B
              LAN tcp 47.74.56.139:58651 -> 64.4.202.128:25 ESTABLISHED:SYN_SENT 1 / 5 40 B / 220 B
              WAN tcp 47.74.56.139:45114 -> 64.4.202.81:25 SYN_SENT:ESTABLISHED 1 / 5 40 B / 220 B
              LAN tcp 47.74.56.139:45114 -> 64.4.202.81:25 ESTABLISHED:SYN_SENT 1 / 5 40 B / 220 B
              WAN tcp 47.74.56.139:40592 -> 74.112.73.81:80 SYN_SENT:ESTABLISHED 1 / 6 40 B / 264 B
              LAN2 tcp 47.74.56.139:40592 -> 74.112.73.81:80 ESTABLISHED:SYN_SENT 1 / 6 40 B / 264 B
              WAN tcp 47.74.56.139:41011 -> 64.4.202.62:587 TIME_WAIT:TIME_WAIT 1 / 4 40 B / 172 B
              LAN tcp 47.74.56.139:41011 -> 64.4.202.62:587 TIME_WAIT:TIME_WAIT 1 / 4 40 B / 172 B
              WAN tcp 47.74.56.139:63295 -> 74.112.73.48:22 SYN_SENT:ESTABLISHED 1 / 5 40 B / 220 B
              LAN2 tcp 47.74.56.139:63295 -> 74.112.73.48:22 ESTABLISHED:SYN_SENT 1 / 5 40 B / 220 B
              WAN tcp 47.74.56.139:36741 -> 64.4.202.94:80 CLOSED:SYN_SENT 1 / 0 40 B / 0 B
              LAN tcp 47.74.56.139:36741 -> 64.4.202.94:80 SYN_SENT:CLOSED 1 / 0 40 B / 0 B
              WAN tcp 47.74.56.139:33678 -> 74.112.73.14:80 TIME_WAIT:TIME_WAIT 1 / 4 40 B / 172 B
              WAN tcp 47.74.56.139:58930 -> 74.112.73.41:443 SYN_SENT:ESTABLISHED 1 / 3 40 B / 132 B
              LAN2 tcp 47.74.56.139:33678 -> 74.112.73.14:80 TIME_WAIT:TIME_WAIT 1 / 4 40 B / 172 B
              LAN2 tcp 47.74.56.139:58930 -> 74.112.73.41:443 ESTABLISHED:SYN_SENT 1 / 3 40 B / 132 B
              WAN tcp 47.74.56.139:43105 -> 74.112.73.205:443 SYN_SENT:ESTABLISHED 1 / 6 40 B / 264 B
              LAN2 tcp 47.74.56.139:43105 -> 74.112.73.205:443 ESTABLISHED:SYN_SENT 1 / 6 40 B / 264 B
              WAN tcp 47.74.56.139:52604 -> 74.112.73.201:587 SYN_SENT:ESTABLISHED 1 / 6 40 B / 264 B
              WAN tcp 47.74.56.139:58313 -> 74.112.73.205:443 SYN_SENT:ESTABLISHED 1 / 6 40 B / 264 B
              LAN2 tcp 47.74.56.139:52604 -> 74.112.73.201:587 ESTABLISHED:SYN_SENT 1 / 6 40 B / 264 B
              LAN2 tcp 47.74.56.139:58313 -> 74.112.73.205:443 ESTABLISHED:SYN_SENT 1 / 6 40 B / 264 B
              WAN tcp 47.74.56.139:41633 -> 74.112.73.50:80 SYN_SENT:ESTABLISHED 1 / 6 40 B / 264 B
              LAN2 tcp 47.74.56.139:41633 -> 74.112.73.50:80 ESTABLISHED:SYN_SENT 1 / 6 40 B / 264 B
              WAN tcp 47.74.56.139:63062 -> 64.4.202.81:25 SYN_SENT:ESTABLISHED 1 / 3 40 B / 132 B
              LAN tcp 47.74.56.139:63062 -> 64.4.202.81:25 ESTABLISHED:SYN_SENT 1 / 3 40 B / 132 B
              WAN tcp 47.74.56.139:33238 -> 74.112.73.201:80 SYN_SENT:ESTABLISHED 1 / 6 40 B / 264 B
              LAN2 tcp 47.74.56.139:33238 -> 74.112.73.201:80 ESTABLISHED:SYN_SENT 1 / 6 40 B / 264 B
              WAN tcp 47.74.56.139:44409 -> 64.4.202.94:80 SYN_SENT:ESTABLISHED 1 / 6 40 B / 264 B
              LAN tcp 47.74.56.139:44409 -> 64.4.202.94:80 ESTABLISHED:SYN_SENT 1 / 6 40 B / 264 B

              Now this is just an example of 1 IP that is doing it to me. Sometimes it is a single IP that does it, sometimes it will be a random blast from a /24 network. Either way, it eats up 50K-500K session states. At times, it can really blast the system.

              Nothing has changed other than i think an upgrade from 2.4.4-p1 to 2.4.4-p3. I don't know if the pfSense version has something to do with it, or if it's something that has happened on the internet. Just crazy that all these sessions get stuck like this.

              Can anyone help?!?!??!

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by johnpoz

                Help with what the pesky flies? Block them if they are doing a non flooding syn/state attack..

                We have all been seeing an uptick in such traffic - see my pesky fly thread ;)

                Where you run into problems is if volumetric type attack - nothing you can do about that but get with your upstream provider.

                It has nothing to do with pfsense.. I show that 47.74 56 guy is from japan.. Do you need to allow connections from JP? If not block the whole freaking country ;)

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.