Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    how to defend a SYNFLOOD attack on lan?

    Firewalling
    5
    8
    10488
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      steven2005 last edited by

      Hi
      I am a new user to pfsense.
      how to defend a SYNFLOOD attack on lan.the default rule is very bad
      Does someone help?Thanks!

      1 Reply Last reply Reply Quote 0
      • S
        sullrich last edited by

        Modify the default lan rule.  Click on the "Advanced" button under the "Advanced Options" area.

        Change Maximum new connections / per second to 10 and 1.

        This will blacklist the IP if it tries to make more than 10 connections a sec.  This number may be a little low, you'll have to tweak it some.

        Once you have changed the rule, run this command from a shell to inspect the blocked table:

        
        pfctl -t virusprot -Ts
        
        

        To delete an item in the blacklist:

        
        pfctl -t virusprot -T delete $IPADDRESS
        
        

        Change $IPADDRESS to the address in question.

        1 Reply Last reply Reply Quote 0
        • S
          steven2005 last edited by

          thang you very nice!!

          1 Reply Last reply Reply Quote 0
          • M
            mastrboy last edited by

            can't you also set the state to synproxy instead of keep state?

            qoute from pf faq:
            "TCP SYN Proxy

            Normally when a client initiates a TCP connection to a server, PF will pass the handshake packets between the two endpoints as they arrive. PF has the ability, however, to proxy the handshake. With the handshake proxied, PF itself will complete the handshake with the client, initiate a handshake with the server, and then pass packets between the two. The benefit of this process is that no packets are sent to the server before the client completes the handshake. This eliminates the threat of spoofed TCP SYN floods affecting the server because a spoofed client connection will be unable to complete the handshake."

            i tought this would protect from a synproxy attack?

            A rule i have with this activated:

            pass in log quick on dc0 inet proto tcp from any to 192.168.0.x port = http flags S/SA synproxy state label "USER_RULE: NAT WAN -> Web Server (synproxy)
            
            1 Reply Last reply Reply Quote 0
            • S
              sullrich last edited by

              @mastrboy:

              can't you also set the state to synproxy instead of keep state?

              qoute from pf faq:
              "TCP SYN Proxy

              Normally when a client initiates a TCP connection to a server, PF will pass the handshake packets between the two endpoints as they arrive. PF has the ability, however, to proxy the handshake. With the handshake proxied, PF itself will complete the handshake with the client, initiate a handshake with the server, and then pass packets between the two. The benefit of this process is that no packets are sent to the server before the client completes the handshake. This eliminates the threat of spoofed TCP SYN floods affecting the server because a spoofed client connection will be unable to complete the handshake."

              i tought this would protect from a synproxy attack?

              A rule i have with this activated:

              pass in log quick on dc0 inet proto tcp from any to 192.168.0.x port = http flags S/SA synproxy state label "USER_RULE: NAT WAN -> Web Server (synproxy)
              

              Yes that would work but he wanted to track down the culprit as well.

              1 Reply Last reply Reply Quote 0
              • M
                mastrboy last edited by

                i see, thanks for clearing up my confusion.

                1 Reply Last reply Reply Quote 0
                • X
                  xenothrix last edited by

                  @sullrich:

                  Modify the default lan rule.  Click on the "Advanced" button under the "Advanced Options" area.

                  Change Maximum new connections / per second to 10 and 1.

                  This will blacklist the IP if it tries to make more than 10 connections a sec.  This number may be a little low, you'll have to tweak it some.

                  Once you have changed the rule, run this command from a shell to inspect the blocked table:

                  
                  pfctl -t virusprot -Ts
                  
                  

                  To delete an item in the blacklist:

                  
                  pfctl -t virusprot -T delete $IPADDRESS
                  
                  

                  Change $IPADDRESS to the address in question.

                  what if i have quite a few rules on the dish? should i set it at each rules?
                  fyi, i need to pin point which user is hogging the network, especially doing video/music streaming.

                  1 Reply Last reply Reply Quote 0
                  • H
                    hoba last edited by

                    You probably want a bandwidthmonitoring package like bandwidthd. It's available as pfSense package. Search the forum or have a look at system>packages in the webgui.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post

                    Products

                    • Platform Overview
                    • TNSR
                    • pfSense Plus
                    • Appliances

                    Services

                    • Training
                    • Professional Services

                    Support

                    • Subscription Plans
                    • Contact Support
                    • Product Lifecycle
                    • Documentation

                    News

                    • Media Coverage
                    • Press
                    • Events

                    Resources

                    • Blog
                    • FAQ
                    • Find a Partner
                    • Resource Library
                    • Security Information

                    Company

                    • About Us
                    • Careers
                    • Partners
                    • Contact Us
                    • Legal
                    Our Mission

                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                    Subscribe to our Newsletter

                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                    © 2021 Rubicon Communications, LLC | Privacy Policy