Web page DDOS

  • I hope I'm posting this in the right place….

    We are using pfsense 1.2-Release (SUn Feb 24) in front of a few web servers.  We forward port 80 and 443 (using an alias of "web").  The rule has a state type of synproxy.  I have increased the number of states to 30,000 (there's 2 gigs of RAM on the machine).

    Over the past few days, we've had several dozen computers hitting a single page on our site repeatedly dozens of times per second in what certainly appears to be a distributed denial of service attack.  This has caused the web server to stop serving pages, but it also seems to be causing a problem with pfsense as well.  During these attacks, I cannot access the web gui via our ipsec connection.  Our normal states table has between 150 - 500 states at any given time, and during the attacks, it gets up above 5,000.

    The problem here is that synproxy isn't really effective since the attack is legitimately requesting a web page (via a GET request).  I'm considering installing the SNORT package, but I'm not sure it would really solve the problem.

    I am unsure how to deal with this problem, and would very much appreciate any advice or suggestions that anyone can offer.

  • Alrighty then, this must not be something pfsense can handle.

  • check for an update under system>firmware.
    check to see where its coming from under the current states, when you get it or shortly afterwords or start logging connections and see if you notice a trend

Log in to reply