Web page DDOS
-
I hope I'm posting this in the right place….
We are using pfsense 1.2-Release (SUn Feb 24) in front of a few web servers. We forward port 80 and 443 (using an alias of "web"). The rule has a state type of synproxy. I have increased the number of states to 30,000 (there's 2 gigs of RAM on the machine).
Over the past few days, we've had several dozen computers hitting a single page on our site repeatedly dozens of times per second in what certainly appears to be a distributed denial of service attack. This has caused the web server to stop serving pages, but it also seems to be causing a problem with pfsense as well. During these attacks, I cannot access the web gui via our ipsec connection. Our normal states table has between 150 - 500 states at any given time, and during the attacks, it gets up above 5,000.
The problem here is that synproxy isn't really effective since the attack is legitimately requesting a web page (via a GET request). I'm considering installing the SNORT package, but I'm not sure it would really solve the problem.
I am unsure how to deal with this problem, and would very much appreciate any advice or suggestions that anyone can offer.
-
Alrighty then, this must not be something pfsense can handle.
-
check for an update under system>firmware.
check to see where its coming from under the current states, when you get it or shortly afterwords or start logging connections and see if you notice a trend