Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Web page DDOS

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jasonl99
      last edited by

      I hope I'm posting this in the right place….

      We are using pfsense 1.2-Release (SUn Feb 24) in front of a few web servers.  We forward port 80 and 443 (using an alias of "web").  The rule has a state type of synproxy.  I have increased the number of states to 30,000 (there's 2 gigs of RAM on the machine).

      Over the past few days, we've had several dozen computers hitting a single page on our site repeatedly dozens of times per second in what certainly appears to be a distributed denial of service attack.  This has caused the web server to stop serving pages, but it also seems to be causing a problem with pfsense as well.  During these attacks, I cannot access the web gui via our ipsec connection.  Our normal states table has between 150 - 500 states at any given time, and during the attacks, it gets up above 5,000.

      The problem here is that synproxy isn't really effective since the attack is legitimately requesting a web page (via a GET request).  I'm considering installing the SNORT package, but I'm not sure it would really solve the problem.

      I am unsure how to deal with this problem, and would very much appreciate any advice or suggestions that anyone can offer.

      1 Reply Last reply Reply Quote 0
      • J
        jasonl99
        last edited by

        Alrighty then, this must not be something pfsense can handle.

        1 Reply Last reply Reply Quote 0
        • X
          XIII
          last edited by

          check for an update under system>firmware.
          check to see where its coming from under the current states, when you get it or shortly afterwords or start logging connections and see if you notice a trend

          -Chris Stutzman
          Sys0:2.0.1: AMD Sempron 140 @2.7 1024M RAM 100GHD
          Sys1:2.0.1: Intel P4 @2.66 1024M RAM 40GHD
          freedns.afraid.org - Free DNS dynamic DNS subdomain and domain hosting.
          Check out the pfSense Wiki

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.