Firewall to defend DDOS Attack



  • We recently had a DDOS attack on one of our IP addresses. We have quite a few because we host ecommerce websites. At the height of the attack, thousands of IP addresses were simultaneously hitting the website and at one point it flooded our Sonicwall firewall.

    Our current configuration goes something like this:

    External IP address 207.194.x.x goes into Sonicwall Firewall

    Sonicwall NATs it to 192.168.x.x and that's picked up by a Webmux load balancer

    Webmux then sends the traffic out to one or more webservers to handle the load.

    However once we get several thousand requests per second, everything gets buried.

    I want to put a PFSense firewall between Sonicwall and Webmux in the event that we have another DDOS attack, and it will check against a list of banned IP addresses and only let through legitimate traffic. However I must be missing a step because it's not working.

    I have setup PFSense with a VIP which does a 1:1 NAT to an internal IP address. Essentially 192.168.74.10 is the VIP and it NATs to 10.1.99.10.  Then Webmux load balancer picks up 10.1.99.10 and sends it to the web farm.

    I cannot get the traffic to go from 192.168.74.10 to 10.1.99.10  … Can someone suggest what firewall rules I might need to make this work? Or maybe I am just on the wrong track altogether.



  • If all of your bandwidth is being consumed by this attack, then I am pretty sure that adding another firewall appliance into your local part of the pipe will not help. The place you really need to have this filtered out is upstream, at your provider.



  • Bandwidth isn't a problem - we have a 100mbps pipe and it never got higher than 15-20% before the firewall was buried.

    I found that I could constrain the traffic to the attacked website so that the firewall lets through say 5% … The problem is that most of that is crap, so I wanted to turn it away and just let the good stuff through.



  • Hi rwhawkes,

    What i use to block the crap out is the rate limiter on the rules. Why on earth would someone make 100 conns/s if he is just browsing on port 80? That usually blocks the big offenders. If you have something like slowloris going on then snort might be of help.
    Snort also does a nice job blocking any known malicious networks.

    Hope this helps a bit in blocking your attacks.

    -m4rcu5


Log in to reply