Slow network download. Is pfsense under attack? please help me
-
Dear Users,
during the last two weeks, I noticed that network performance degrade dramatically.
A test host in behind the firewall can send data to internet without problem (very good bit rate), but it is not able to download similar data from internet with the expected throughput (we have two 10Gbps ISP links).We checked everything: hardware status, configuration, bgp, rules and so on. The only thing I can see is that pfsense seems to be under attack. It seems a scan attack or a SYN flood DOS attack, but I'm not an expert and I'm not sure I understand correctly what is happening.
Could you please take a look at the attached firewall logs?
What is your idea/suggestions?
If pfsense i under attack, how to mitigate it?Thank you in advance,
Mauro -
That doesn't look like a particularly high traffic rate. < 10 connection a second.
Check the Status > Monitoring graphs for the WAN. Look at the in-block rates for traffic and packets. If you are (or were) under some sort of attack it will be obvious there.
-
@stephenw10 thank you
Unfortunately, I'm not able to see in-block rates in Status -> Monitoring.
I'm using v.2.7.0 CEThanks
-
Why not? What do you see?
-
Hi @stephenw10 , this is what I see
-
You see the wrench - top bar ion the right side ?
Click it !
Select the info you want to see.
-
Hi @Gertjan , thank you very much for your help.
Now I can see the graph I need, but I'm still a newbie and I'm not able to understand if these values can be related to a suspicious DDOS attack or not.What's your idea? This is the graph with the in-block info.
Thank you in advance,
Mauro
-
This post is deleted! -
What about uncluttering the info shown ?
Example :
First : The right axis : set it to None.
Then, remove every "pass" graph by clicking on the colored circles, leaving only "blocking".
What you will see is what's been blocked ...
What I see is a bit of "the internet's usual back ground noise traffic". Nothing out of the ordinary.To see what a DOS is, use this as a guide line.
So, start nagging 'them' and as soon as you draw there attention, be prepared, and have a second identity ready. -
Look at the inblock numbers. The maximum you're seeing (in that screenshot) is 27kbps. So basically nothing.
Sometimes you can see an attack that is low total bandwidth but a high number of tiny packets so check the pps in block value too. However at 27kbps you are not seeing that either.
-
@stephenw10 @Gertjan thanks, I found that the problem is an hardware problem. I will open a new case about backup and restore.
see you later :)
Mauro
