how to defend a SYNFLOOD attack on lan?



  • Hi
    I am a new user to pfsense.
    how to defend a SYNFLOOD attack on lan.the default rule is very bad
    Does someone help?Thanks!



  • Modify the default lan rule.  Click on the "Advanced" button under the "Advanced Options" area.

    Change Maximum new connections / per second to 10 and 1.

    This will blacklist the IP if it tries to make more than 10 connections a sec.  This number may be a little low, you'll have to tweak it some.

    Once you have changed the rule, run this command from a shell to inspect the blocked table:

    
    pfctl -t virusprot -Ts
    
    

    To delete an item in the blacklist:

    
    pfctl -t virusprot -T delete $IPADDRESS
    
    

    Change $IPADDRESS to the address in question.



  • thang you very nice!!



  • can't you also set the state to synproxy instead of keep state?

    qoute from pf faq:
    "TCP SYN Proxy

    Normally when a client initiates a TCP connection to a server, PF will pass the handshake packets between the two endpoints as they arrive. PF has the ability, however, to proxy the handshake. With the handshake proxied, PF itself will complete the handshake with the client, initiate a handshake with the server, and then pass packets between the two. The benefit of this process is that no packets are sent to the server before the client completes the handshake. This eliminates the threat of spoofed TCP SYN floods affecting the server because a spoofed client connection will be unable to complete the handshake."

    i tought this would protect from a synproxy attack?

    A rule i have with this activated:

    pass in log quick on dc0 inet proto tcp from any to 192.168.0.x port = http flags S/SA synproxy state label "USER_RULE: NAT WAN -> Web Server (synproxy)
    


  • @mastrboy:

    can't you also set the state to synproxy instead of keep state?

    qoute from pf faq:
    "TCP SYN Proxy

    Normally when a client initiates a TCP connection to a server, PF will pass the handshake packets between the two endpoints as they arrive. PF has the ability, however, to proxy the handshake. With the handshake proxied, PF itself will complete the handshake with the client, initiate a handshake with the server, and then pass packets between the two. The benefit of this process is that no packets are sent to the server before the client completes the handshake. This eliminates the threat of spoofed TCP SYN floods affecting the server because a spoofed client connection will be unable to complete the handshake."

    i tought this would protect from a synproxy attack?

    A rule i have with this activated:

    pass in log quick on dc0 inet proto tcp from any to 192.168.0.x port = http flags S/SA synproxy state label "USER_RULE: NAT WAN -> Web Server (synproxy)
    

    Yes that would work but he wanted to track down the culprit as well.



  • i see, thanks for clearing up my confusion.



  • @sullrich:

    Modify the default lan rule.  Click on the "Advanced" button under the "Advanced Options" area.

    Change Maximum new connections / per second to 10 and 1.

    This will blacklist the IP if it tries to make more than 10 connections a sec.  This number may be a little low, you'll have to tweak it some.

    Once you have changed the rule, run this command from a shell to inspect the blocked table:

    
    pfctl -t virusprot -Ts
    
    

    To delete an item in the blacklist:

    
    pfctl -t virusprot -T delete $IPADDRESS
    
    

    Change $IPADDRESS to the address in question.

    what if i have quite a few rules on the dish? should i set it at each rules?
    fyi, i need to pin point which user is hogging the network, especially doing video/music streaming.



  • You probably want a bandwidthmonitoring package like bandwidthd. It's available as pfSense package. Search the forum or have a look at system>packages in the webgui.


Log in to reply