ESP flood crashing firewall.

nnelson2048

We have been experiencing an issue where our firewall seems to slow down the network to a crawl. The unusual part of the issue is the broken traffic only seems to exist as a continually repeating message on the internet facing interface, as opposed to traversing the firewall as one would expect based on the source and destination addresses in the packet capture. With the latest capture, the source address did not exist on our internal network and was not pingable. The destination always appears to be a random address on T-Mobiles network. Oddly, blocking the destination address on the source interface seems to stop the issue until the destination IP address changes again. Has anyone else seen this behavior on pfSense and can provide pointers on how to resolve the issue. A reboot also seems to clear the repeating message from continuing and restores the firewall to a functional state.

nnelson2048

Update:

The firewall slowdown happened again, and I was able to collect more data.
We traced the connection through an AP, and I was able to record more firewall data.

The AP records 25 KB sent. The firewall records over 247,493 MB sent. A packet capture shows the firewall is sending the message in a repeated loop.

On the CPU, if_io_taq_3 is maxed out.

PID USERNAME PRI NICE SIZE RES STATE C TIME WCPU COMMAND
0 root -76 - 0B 912K CPU3 3 957:56 100.00% [kernel{if_io_tqg_3}]
11 root 155 ki31 0B 128K RUN 2 38.2H 99.07% [idle{idle: cpu2}]
11 root 155 ki31 0B 128K CPU5 5 38.2H 98.19% [idle{idle: cpu5}]
11 root 155 ki31 0B 128K CPU0 0 35.5H 95.90% [idle{idle: cpu0}]
11 root 155 ki31 0B 128K CPU7 7 37.9H 94.78% [idle{idle: cpu7}]
11 root 155 ki31 0B 128K CPU6 6 38.2H 94.68% [idle{idle: cpu6}]
11 root 155 ki31 0B 128K CPU1 1 38.2H 92.87% [idle{idle: cpu1}]
11 root 155 ki31 0B 128K CPU4 4 38.1H 92.38% [idle{idle: cpu4}]
0 root -76 - 0B 912K - 7 198:28 6.40% [kernel{if_io_tqg_7}]
0 root -76 - 0B 912K - 4 191:42 6.30% [kernel{if_io_tqg_4}]
0 root -76 - 0B 912K - 2 189:25 4.98% [kernel{if_io_tqg_2}]
0 root -76 - 0B 912K - 1 187:04 4.88% [kernel{if_io_tqg_1}]
0 root -76 - 0B 912K - 5 183:27 3.96% [kernel{if_io_tqg_5}]
0 root -76 - 0B 912K - 6 184:39 3.56% [kernel{if_io_tqg_6}]
0 root -76 - 0B 912K - 0 346:49 3.27% [kernel{if_io_tqg_0}]
11 root 155 ki31 0B 128K RUN 3 25.6H 0.98% [idle{idle: cpu3}]

Cool_Corona

https://www.sciencedirect.com/topics/computer-science/flooding-attack

SYN Flood attack....

nnelson2048

@cool_corona said in ESP flood crashing firewall.:

https://www.sciencedirect.com/topics/computer-science/flooding-attack

What is the best method of blocking this attack on pfSense?

Cool_Corona

@nnelson2048 Its a vulnerability in PF and it has been adressed before.

Rules -> Advanced settings and

Try to run SYNPeoxy on the rule and see if it helps. And try to limit the number of connections per host/IP.