Web page DDOS
I hope I'm posting this in the right place….
We are using pfsense 1.2-Release (SUn Feb 24) in front of a few web servers. We forward port 80 and 443 (using an alias of "web"). The rule has a state type of synproxy. I have increased the number of states to 30,000 (there's 2 gigs of RAM on the machine).
Over the past few days, we've had several dozen computers hitting a single page on our site repeatedly dozens of times per second in what certainly appears to be a distributed denial of service attack. This has caused the web server to stop serving pages, but it also seems to be causing a problem with pfsense as well. During these attacks, I cannot access the web gui via our ipsec connection. Our normal states table has between 150 - 500 states at any given time, and during the attacks, it gets up above 5,000.
The problem here is that synproxy isn't really effective since the attack is legitimately requesting a web page (via a GET request). I'm considering installing the SNORT package, but I'm not sure it would really solve the problem.
I am unsure how to deal with this problem, and would very much appreciate any advice or suggestions that anyone can offer.
Alrighty then, this must not be something pfsense can handle.
check for an update under system>firmware.
check to see where its coming from under the current states, when you get it or shortly afterwords or start logging connections and see if you notice a trend