Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DDoS attack

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 4 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      arthur1472
      last edited by

      Hello,

      Someone is attacking my server, with ofcourse a pfsense firewall for it.
      The attack is a spoofed syn flood.
      Then the bigger problem is that it isn't blocking it, because it is spoofed it uses many ip's and I can't restrict it on connections per second. (every ip sends 1 packet)
      The thing above will lead to that the states are getting full and no traffic is allowed anymore.

      I did find a way to temporarily stop it: since spoofed syn floods are always from linux you will have to change the allowed source os.
      But I don't want it always on windows because it also blocks some windows systems and I want linux to access my site too.

      Does anyone know how to stop it?

      Already thanks,
      Arthur

      1 Reply Last reply Reply Quote 0
      • G
        gderf
        last edited by

        Your bandwidth is going to be consumed whether you stop the flood in your firewall or just let it continue unabated.

        If you are trying to prevent your bandwidth from being consumed, then have your upstream ISP stop it before it hits your link.

        1 Reply Last reply Reply Quote 0
        • A
          arthur1472
          last edited by

          My bandwidth isn't my problem at all.
          The problem is, that the firewall lets the packets pass because it comes from like 100 ip's at the same time.
          This will cause it to reach the maximum states and after reaching max states it will not allow anymore traffic.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            @arthur1472:

            I did find a way to temporarily stop it: since spoofed syn floods are always from linux you will have to change the allowed source os.

            That's not a way to block a spoofed SYN flood, a SYN is a SYN is a SYN, it can't detect the OS until a handshake completes and that never happens with a spoofed SYN flood.

            Search the forum for my other recommendations on firewalls and DDoS, there are lots of other threads.

            1 Reply Last reply Reply Quote 0
            • A
              arthur1472
              last edited by

              Cmb,
              What I ment with it is, that the most spoofed syn floods are comming from linux.
              So what I did to temporarily block it is change the settings of the allowed source os.
              This causes linux to be blocked and it stops the attack.
              But I don't want it like this because I don't want windows to be the only os to visit my site.

              So I changed this:
              http://puu.sh/Yiv7

              To this:
              http://puu.sh/Yivh

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                What he is saying is its impossible to determine the OS on the syn packet.

                You sure your just not seeing traffic you don't understand??  Why don't you post up a sniff of some of this attack so we can take a look.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • A
                  arthur1472
                  last edited by

                  Well it does determine the source os.

                  I can't do a sniff, because of 2 things:
                  1. If I am getting DDoS'ed it won't respond because of the states are getting filled.
                  2. There is no attack incoming right now.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.