Rule to drop wan traffic still consuming bandwidth.



  • Hi. I'm on 2.0 release in a virtualised environment. I run a bunch of VMware and OnApp cloud servers behind my pfsense install. Recently a lot of my customers have been experiencing brute force attacks on their cloud vms running Sip servers. Each individual attack consumes around 500kb per second of bandwidth and there are a out 60 attacks going on at the moment.

    I have added a list of Ip addresses to pfblock to drop the traffic coming from the offending Ips and the sip vms are no longer under threat but the bandwidth usage hasn't dropped. They are still consuming the same 500k each even though th traffic isn't getting through the firewall. This has been going on for over 5 days now and hasn't eased off. I'm getting concerned about my firewall security holding up but also about the bandwidth charges I'm going to incurr as a result of this.

    Is it normal to see continued bandwidth usage even though traffic is being dropped at the perimeter or has anyone any suggestions on how to mitigate this attack?

    Thanks.



  • You can call to your isp and ask them drop these ip-addresses contacting to your firewall



  • I contacted our provider in the data centre and they say that my ip range is unmanaged. I have a /24 range of public ips and it is solely my responsibility to firewall them apparently. Is it normal behaviour for blocked ips to still consume this much bandwidth even though their traffic is being dropped?



  • I'm not so sure what i'm speaking atm:
    let's imagine a little

    
    Unamanaged area called internet --- pfsense --- managed area as your lan
    Attackers  using bandwidth^            ^ blocking connections    ^ attackers can't use your bandwidth
    
    

    If ISP is unable to help you, bandwidth is consumed as until they stop



  • Ok. I think you're making it a bit clearer for me. So even though the offending traffic is being dropped at the perimeter (pfsense) their continued attempts to get through is generating ~ 500k bandwidth. So until they stop the high traffic will remain!

    This is a real pain.



  • Some years ago I read an account by Steve Gibson of a denial of service account that hit him. Some nasty piece of work managed to harness hundreds of PCs to bang on his IP address. Fortunately for him his ISP was rather more cooperative than yours.

    I think you might be able to find his report (grcdos.pdf) on his web site (http://www.grc.com).


Locked