PfSense, Snort and DDOS protection

  • Hi Everyone,

    My colo has given me a 100Mbps connection. I am going to provide VPS hosting for some customers, and I wish to protect the network as much as possible from "attacks". By "attacks", I mean an attack which affects the service for other customers.

    So I have a few questions:

    1) What kind of system requirements would I require to run Snot on pfSense?
    At the minute, my pfsense is running in a Xen VM. The Xen host has a 2.3Ghz Quad Core Xeon processor (pfsense see only 1 core). I have given the pfsense VM 512MB of RAM, but this can be increased if we need to. Once our customer base grows, the idea is to put pfsense on a physical server. This pfsense box doesn't do any port filtering, but it is there for bandwidth management and hopefully DDOS protection. All port filtering is done in iptables on the Xen host.

    2) What are the best combination of rules for DDOS protection?
    Is it just as simple as enabling the "dos.rules" in snort, and checking "Block Offenders"? What about any of the advanced settings in the rules settings of pfsense?

    Any ideas would be appreciated, and maybe I could write a howto?


  • I should probably have mentioned that my pfsense is configured in bridge mode (WAN and PUBLIC interfaces are bridged together so I can give my VPSs public IPs). However, reading the openbsd docs:

    "The SYN proxy will not work if PF is running on a bridge(4)"

    Does this mean I can't use synproxy?

    However, my WAN interface does have an IP address assigned to it (As normal NAT is done between WAN and LAN)


  • You cannot use synproxy with a bridge. A recent discussion on the freebsd-pf mailing list describes why, pull up its archives for a thorough explanation. SYN flooding isn't of a whole lot of concern anymore unless you're running 10+ year old OSes behind your firewall, pretty much every modern OS handles SYN flooding on its own very well.

    As for DDoS protection in general, you have a 100 Mb pipe, which means even a small DDoS is going to take you completely offline by overloading your connection to your provider. There is nothing you can do to change that, it's too late once it gets to you, and you can't do anything about the traffic upstream. Your provider would have to help in such scenarios.

Log in to reply