DDoS protection for PfSense

nash27

We run PfSense within AWS for VPN termination.

We wanted to know if there are best practices to protect the PfSense itself against a potential DDoS attack. All forum posts suggest using the ha_proxy package for DDoS protection, however this seems to be valid to protect servers or hosts behind the PfSense load balanced by the ha_proxy.

Is there a good way to protect the PfSense itself from DDoS?

johnpoz

The only way to protect against volumetric ddos attacks is upstream of your connection.. Once a pipe is full, its full.. The only way to protect against that is upstream where data enters your pipe, to prevent it from becoming full..

Cool_Corona

Its easy. Pfsense can handle massive amounts of incoming traffic.

You need to tune it and how it handles connections.

I use it as DDoS protection and it works perfectly.

johnpoz

That is misleading info... Sorry but if your pipe to pfsense is 100Mbps, and there is 200Mbps trying to come down the pipe, nothing pfsense could do even if it can handle 1gbps of actual traffic.

But sure if your server behind pfsense can only handle 50mbps of traffic before it starts to fall down, then sure pfsense could block bad traffic from getting sent to it so that real traffic is below that 50mbps mark.

But pfsense can do nothing if its wan is fully saturated with bad traffic.

Cool_Corona

@johnpoz said in DDoS protection for PfSense:

That is misleading info... Sorry but if your pipe to pfsense is 100Mbps, and there is 200Mbps trying to come down the pipe, nothing pfsense could do even if it can handle 1gbps of actual traffic.

But sure if your server behind pfsense can only handle 50mbps of traffic before it starts to fall down, then sure pfsense could block bad traffic from getting sent to it so that real traffic is below that 50mbps mark.

But pfsense can do nothing if its wan is fully saturated with bad traffic.

Depends on how you sort the traffic (legit vs nonlegit).

DDoS is connection attempts with different acks to keep the connection open and thereby flood the pipe.

Tune pfsense to handle how it handles that kind of traffic and youre good to go. (its under the rules section ->advanced).

johnpoz

Dude doesn't matter what the traffic is if its filling the pipe.. Doesn't matter if pfsense drops it all.. If the pipe is FULL of noise, good traffic can not even get to pfsense..

Why do people have such a hard time understanding this concept.. Its like a traffic jam on the highway... There are too many cars, and not even the ambulance can get through..

Sorry but there is nothing a firewall or router or any networking device at the end of the pipe can do about a volumetric ddos attack.. The only thing you can do is head off the bad traffic upstream (ie your isp) so that bad traffic does not fill up your pipe.

Cool_Corona

It works. And consider that I blow up (kill states) the cars on the highway so the ambulance can get through...

Its throttling and treatment of packets (ACK)

johnpoz

OMG -- dude if I am sending 1gbps of traffic down your pipe, and your pipe is 10mbps.. How is any good traffic going to get to pfsense? at all??

This isn't complicated...

Your traffic cop at the end of the road, can't do anything about the 3 mile long pileup on the 1 lane road to him, if all the cars from a 10 lane freeway are trying to get onto the 1 lane dirt road..

You need to put someone up at the 10 lane freeway off ramp to your 1 lane dirt road, to only let cars onto that road that you want..

You really need to do some more research if you think any sort of firewall, be it pfsense or 100K super NGFW from cisco can do anything against a volumetric ddos that fills up your 1 lane dirt road to get to it..

edit: this is a bit late.. But ran across this just a bit ago, and thought this is a perfect example how a firewall can not stop a volumetric attack ;)

https://www.zdnet.com/article/google-says-it-mitigated-a-2-54-tbps-ddos-attack-in-2017-largest-known-to-date/

So even if you had 1, 10 or even 100 gig pipe, what hope do you think your firewall would have with such an attack ;) 2.5TBps - this is what I mean when the pipe is full, its full - nothing your firewall can do at the end of the pipe ;)

coldfix

@johnpoz
i thought that's it's quite obvious there are 3 types of DDoS (denial of service, not denial of bandwidth) attacks:

1. Device input/output overuse
2. Device processor overuse
3. Device RAM or ROM overuse

As an example my service was taken out by filling only <20% of my inbound bandwidth (<30 Mbytes/sec) but using 200% of my CPU time (all 8 logical cores of e3-1270v2) just by forwarding over_9000 BLANK packets from port 443 to my internal mail server.

My internet provider for some reason has only bandwidth usage protection without any Fail2ban type service managed by me, i.e.

Long story short i installed the pfBlockerNG 4+ and now i am trying to run a fail2ban script on it. Maybe i'll write more when i finish.

michmoor

@coldfix if you’re looking for control plane protection (or policing) a different brand of FW would be needed as PFsense does not have any mitigation for that.