DDOS and logging

kradalby · Sep 21, 2012, 8:49 AM

Hi

I am running a little gaming community from home and i have been receiving unpleasant traffic from time to time thats jamming my network and it is bad for me and bad for my players.

I am running pfsense 2.0 on a Intel Atom DC2500 i think its called with to intel nics. I also have a 100/100 mbit fiber internet connection. But lets face it, it isnt a problem to send that amount of traffic if you got some friends.

I have been in contact with my isp, they cant help me unless i have ips i can give to them, and i have not been able to get something out of the box under the attacks because it overloads. I have tried things like ntop but it has no chance.

So what i am wondering, does anyone have any good ideas for finding some ips? logging? Would also be great if someone has any idea of some kind of fix. I am not so stupid that i think i can install a ddos blocker package but i guess anything will help.

Sorry for my bad english.

kradalby

hagfelds · Sep 21, 2012, 7:33 PM

You could have an open SSH connection to the router running something like "tcpdump -i em0", and when the DoS begins you will at least have something to look at just before the box "freezes".

starshooter10 · Sep 21, 2012, 7:56 PM

You could also get a more substantial chunk of hardware in there then an ATOM… while I also use a low powered box I have a few boxes in reserve that I can blow away and install PFSense on if i needed to.

... you do have a backup of your config right?

actually right now my slowest backup box is a 3.0GHZ dual core with 8GB of ram... going up to a dual quad with 16GB of ram and a pair of quad GBE "et" intel cards... thats supposed to be a backup VM host but i think to kill a DDOS it could be used for a few hours.

kradalby · Sep 22, 2012, 9:56 AM

I guess tcpdump can output something, but boy, when i run it it was 100k lines of packages in 10 seconds… and thats when im not attacked...

And Starshooter, i think i have to say that we are not on the same level:P our hardware resources does not actually go very much beyond the Atom computer. I am located in norway where things are a little to expensive to sit on that great hardware ;) and as i said, its kind of a hardcore hobby:)

But yes, i am hearing what you are sayin. My atom box has dual core, and 4 gigs of ram.

wallabybob · Sep 22, 2012, 9:13 PM

@kradalby:

I have been in contact with my isp, they cant help me unless i have ips i can give to them, and i have not been able to get something out of the box under the attacks because it overloads.

I presume you have firewall rules on your WAN interface to block unsolicited traffic. Enable logging on those rules.

When you are hit by a DOS attack stop the flow (for example by disconnecting or powering off your modem). Your box should soon become usable again. Dump the firewall log file to a text file, (for example pfSense shell command```

clog /var/log/filter.log > firewall-log.txt


The firewall log should give you some IPs involved in the attack UNLESS you have bugs in your rules OR the attack is very specifically targeted at your open ports in which case you might be able to configure the attacked servers to log incoming connects and such logs might provide some IP addresses you could ask your ISP to block.

When you have a bit more information about the nature of the attacks it might be possible to make more specific suggestions.