Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Rule to drop wan traffic still consuming bandwidth.

    General pfSense Questions
    3
    6
    1555
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cr_hyland last edited by

      Hi. I'm on 2.0 release in a virtualised environment. I run a bunch of VMware and OnApp cloud servers behind my pfsense install. Recently a lot of my customers have been experiencing brute force attacks on their cloud vms running Sip servers. Each individual attack consumes around 500kb per second of bandwidth and there are a out 60 attacks going on at the moment.

      I have added a list of Ip addresses to pfblock to drop the traffic coming from the offending Ips and the sip vms are no longer under threat but the bandwidth usage hasn't dropped. They are still consuming the same 500k each even though th traffic isn't getting through the firewall. This has been going on for over 5 days now and hasn't eased off. I'm getting concerned about my firewall security holding up but also about the bandwidth charges I'm going to incurr as a result of this.

      Is it normal to see continued bandwidth usage even though traffic is being dropped at the perimeter or has anyone any suggestions on how to mitigate this attack?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • M
        Metu69salemi last edited by

        You can call to your isp and ask them drop these ip-addresses contacting to your firewall

        1 Reply Last reply Reply Quote 0
        • C
          cr_hyland last edited by

          I contacted our provider in the data centre and they say that my ip range is unmanaged. I have a /24 range of public ips and it is solely my responsibility to firewall them apparently. Is it normal behaviour for blocked ips to still consume this much bandwidth even though their traffic is being dropped?

          1 Reply Last reply Reply Quote 0
          • M
            Metu69salemi last edited by

            I'm not so sure what i'm speaking atm:
            let's imagine a little

            
Unamanaged area called internet --- pfsense --- managed area as your lan
Attackers  using bandwidth^            ^ blocking connections    ^ attackers can't use your bandwidth

            If ISP is unable to help you, bandwidth is consumed as until they stop

            1 Reply Last reply Reply Quote 0
            • C
              cr_hyland last edited by

              Ok. I think you're making it a bit clearer for me. So even though the offending traffic is being dropped at the perimeter (pfsense) their continued attempts to get through is generating ~ 500k bandwidth. So until they stop the high traffic will remain!

              This is a real pain.

              1 Reply Last reply Reply Quote 0
              • W
                wallabybob last edited by

                Some years ago I read an account by Steve Gibson of a denial of service account that hit him. Some nasty piece of work managed to harness hundreds of PCs to bang on his IP address. Fortunately for him his ISP was rather more cooperative than yours.

                I think you might be able to find his report (grcdos.pdf) on his web site (http://www.grc.com).

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post