Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    With Suricata Running pfsense crashes when DDoS'ed

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 2 Posters 693 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Cool_CoronaC
      Cool_Corona
      last edited by

      Hi

      When Suricata is running, the FW crashes when DDoS'ed when hit with around 140K PPS.

      Without it runs fine and is fairly resilient with a lot less strain on the CPU which is understandable.

      The reason for the crash with Suricata seems to be the log writing speed. When hit then it cant keep up writing the logs and crashes.

      I cant get any logs out from that point in time since its going very fast.

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @Cool_Corona
        last edited by

        @cool_corona

        Isn't that the very definition of what a dos tries to do ?
        If every incoming packet header receives a lot of CPU attention, like having it analysed by whatever user land process like Suricata, things will go bad. Writing logs for now, memory and missing processor capacity will be next.

        I was under the impression that Suricata would scan headers of packets that are part of an existing active connection, not every packets that drops in.
        Or bind it to the LANs, not the WAN, as packets get dropped anyway and as fats as possible.

        It can be done, of course, but your "processing power pipe", has to be bigger as your WAN throughput pipe

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        Cool_CoronaC 1 Reply Last reply Reply Quote 0
        • Cool_CoronaC
          Cool_Corona @Gertjan
          last edited by

          @gertjan It is. Topping out at around 1gbit/s. Pipe is 10gbit/s.

          Without Suricata running the FW fares well and load sit below 25% on CPU and 4% RAM.

          When SC is running then it dies instantly. Both legacy and inline mode.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.