Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall to defend DDOS Attack

    Firewalling
    3
    4
    4.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rwhawkes
      last edited by

      We recently had a DDOS attack on one of our IP addresses. We have quite a few because we host ecommerce websites. At the height of the attack, thousands of IP addresses were simultaneously hitting the website and at one point it flooded our Sonicwall firewall.

      Our current configuration goes something like this:

      External IP address 207.194.x.x goes into Sonicwall Firewall

      Sonicwall NATs it to 192.168.x.x and that's picked up by a Webmux load balancer

      Webmux then sends the traffic out to one or more webservers to handle the load.

      However once we get several thousand requests per second, everything gets buried.

      I want to put a PFSense firewall between Sonicwall and Webmux in the event that we have another DDOS attack, and it will check against a list of banned IP addresses and only let through legitimate traffic. However I must be missing a step because it's not working.

      I have setup PFSense with a VIP which does a 1:1 NAT to an internal IP address. Essentially 192.168.74.10 is the VIP and it NATs to 10.1.99.10.  Then Webmux load balancer picks up 10.1.99.10 and sends it to the web farm.

      I cannot get the traffic to go from 192.168.74.10 to 10.1.99.10  … Can someone suggest what firewall rules I might need to make this work? Or maybe I am just on the wrong track altogether.

      1 Reply Last reply Reply Quote 0
      • G
        gderf
        last edited by

        If all of your bandwidth is being consumed by this attack, then I am pretty sure that adding another firewall appliance into your local part of the pipe will not help. The place you really need to have this filtered out is upstream, at your provider.

        1 Reply Last reply Reply Quote 0
        • R
          rwhawkes
          last edited by

          Bandwidth isn't a problem - we have a 100mbps pipe and it never got higher than 15-20% before the firewall was buried.

          I found that I could constrain the traffic to the attacked website so that the firewall lets through say 5% … The problem is that most of that is crap, so I wanted to turn it away and just let the good stuff through.

          1 Reply Last reply Reply Quote 0
          • M
            m4rcu5
            last edited by

            Hi rwhawkes,

            What i use to block the crap out is the rate limiter on the rules. Why on earth would someone make 100 conns/s if he is just browsing on port 80? That usually blocks the big offenders. If you have something like slowloris going on then snort might be of help.
            Snort also does a nice job blocking any known malicious networks.

            Hope this helps a bit in blocking your attacks.

            -m4rcu5

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.