DDoS attack

arthur1472

Hello,

Someone is attacking my server, with ofcourse a pfsense firewall for it.
The attack is a spoofed syn flood.
Then the bigger problem is that it isn't blocking it, because it is spoofed it uses many ip's and I can't restrict it on connections per second. (every ip sends 1 packet)
The thing above will lead to that the states are getting full and no traffic is allowed anymore.

I did find a way to temporarily stop it: since spoofed syn floods are always from linux you will have to change the allowed source os.
But I don't want it always on windows because it also blocks some windows systems and I want linux to access my site too.

Does anyone know how to stop it?

Already thanks,
Arthur

gderf

Your bandwidth is going to be consumed whether you stop the flood in your firewall or just let it continue unabated.

If you are trying to prevent your bandwidth from being consumed, then have your upstream ISP stop it before it hits your link.

arthur1472

My bandwidth isn't my problem at all.
The problem is, that the firewall lets the packets pass because it comes from like 100 ip's at the same time.
This will cause it to reach the maximum states and after reaching max states it will not allow anymore traffic.

cmb

@arthur1472:

I did find a way to temporarily stop it: since spoofed syn floods are always from linux you will have to change the allowed source os.

That's not a way to block a spoofed SYN flood, a SYN is a SYN is a SYN, it can't detect the OS until a handshake completes and that never happens with a spoofed SYN flood.

Search the forum for my other recommendations on firewalls and DDoS, there are lots of other threads.

arthur1472

Cmb,
What I ment with it is, that the most spoofed syn floods are comming from linux.
So what I did to temporarily block it is change the settings of the allowed source os.
This causes linux to be blocked and it stops the attack.
But I don't want it like this because I don't want windows to be the only os to visit my site.

So I changed this:
http://puu.sh/Yiv7

To this:
http://puu.sh/Yivh

johnpoz

What he is saying is its impossible to determine the OS on the syn packet.

You sure your just not seeing traffic you don't understand??  Why don't you post up a sniff of some of this attack so we can take a look.

arthur1472

Well it does determine the source os.

I can't do a sniff, because of 2 things:
1. If I am getting DDoS'ed it won't respond because of the states are getting filled.
2. There is no attack incoming right now.