Possible DoS attack
-
I'm new to Pfsense. Today I noticed that one of the internet links from my company started using too much bandwidth. I ran a package capture in it, and through it's logs, I saw that there is one IP pinging the link's IP, so 99% of the packages are ICMP request and reply from this same IP. I created an alias and a rule, trying to block this IP. I put it on the top of all the other rules, but the ping didn't stop. I even tried installing Snort, configured it, ran it, but that IP is still pinging... I don't know what else to do.
-
@supermario_bueno If there's an open state you may need to kill it:
https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#new-rules-are-not-applied -
@steveits Oh, I see. I created and applied the rule blocking that IP, I checked, and there is an open state between my WAN and this IP, using the ICMP protocol. So I need to kill this connection. I just gotta figure out how to do that
-
I tried using the "pfctl -k host" comand in the prompt, but it returns: "killed 0 states from 1 sources and 0 destinations", it's not killing the state =/ I also tried the command "pfctl -k host -k host", to try to kill that specific state, but I get the same return.
-
@supermario_bueno said in Possible DoS attack:
I even tried installing Snort, configured it, ran it, but that IP is still pinging... I don't know what else to do.
Yes, you know what to do ;)
You can't do anything on your side.
You have to go to the device that is pinging you, and stop that command that says "ping you".Example : If I was pinging your IP right now, could you stop me from doing that ?
No.
But you could ask me to do ^You could contact the guy that manages your upstream router/firewall, and ask them to "block" ping from a defined IP? a network or even more.
This means : contact your ISP. But, be careful (see below).You can't block (stop) from someone sending you something. You can't block what comes down into your WAN pipe. Not on your side of the pipe.
Normally, a simple small ICMP (ping) packet will get dropped if the originating ICMP wasn't a request from your side.
You activated 'snort' (== millions of CPU cycles !!) to "analyse" (there is nothing to analyse).
What will happen if 'some one' now send you many packets ? Your pfSense spike to a 100 % CPU utilisation .... and then it comes crashing down.What to do ?
- nothing : drop them as fast as possible. (what a beauty : this is pfSense default counter mesure !) Don't try to do something with it remember : cycles !!)
- Change the WAN IP, if possible.
- Make no enemies on the net. Because, you will loose (or get a huuuuuuge WAN pipe, like several Mbytes / sec, so you can welcome there packets with open arms)
- I'll say it again : if your ISP has a firewall, use it. (But they will probably not doing that, they throw you off their client list)
- Hide yourself behind a VPN, and change your IP when needed.
- Analysing DOS traffic might be useful if your if you are preparing some MIT study, and you have the hardware to do so, like an entire Google Data centre.
- "keep a low profile" & "fly under the radar".
-
@supermario_bueno On the doc page I linked it says "See Check the State Table." That page says "the open connection will not be cut off. To see an immediate effect from a new block rule, the states must be reset. See Firewall States for more information." That will get you to here:
https://docs.netgate.com/pfsense/en/latest/monitoring/status/firewall-states-gui.html where you can click the trash can icon to delete a state.Gertjan is correct that you can't end the incoming traffic since it's already gone down the wire to you, but if you are allowing your router to respond to pings then blocking the inbound would at least stop the outbound responses.
-
@steveits Thank you so much for you advice!! I tracked the location of that IP and just emailed the company, explaining what's happening. The most intriguing part is that the IP is from the agency that registers and maintains all".br" websites here in Brazil, maybe they were victims of some kind of attack.