Maximum new connections per second
-
Hi all,
Recently I've been hit a few times with upwards of 2,000 connections in the space of about half an hour. Always from a single IP address to my web server but different source IPs each time
Yesterday I decided to set the Maximum new connections per second to 10/60 on the firewall rule generated by the NAT. Saved and applied changes.
Overnight there was another of these hits (from yet another IP) but the connection limit didn't work. The connections, 2311 of them, were passed right through.
The interface is connected to a bridged ADSL modem and PPPOE is running on pfSense - though I can't see how that would have anything to do with rate limiting not working.
Am I missing something else that has to be done for the rate limit to work?
Also, is any log record generated when an IP is blocked for exceeding the connection rate limit?
Thanks
-
2000 connections over the period of 30 minutes is an average of about 1.1 connections per second. having a 10/60 limit may be a bit low seeing that the default in many web browsers is to create as many as 20-30 connections at a time.
PFSense will leave a TCP state open for up to 24 hours be default, assuming the TCP connections did not themselves send FIN packets to close the states. I've ran into this recently. My question to you is, are these connections active or are they idle, as in no data sent for a long while? The connections may be stale and PFSense is just following the rules and not artificially closing the states because the TCP connections did not indicate that they were closing.
Hopefully someone else will pipe in.
-
Thanks for the reply.
I assume that a browser setting up 20-30 connections would doing so because it found content or links to pull from the server using additional, separate connections. Very unlikely to be the case on my content-poor blog :)
Even at an average 1.1 connections per second, that would be more than 6 times my maximum (10) connections over the 60 second period.
Unfortunately these hits have all taken place in the middle of my night so the only evidence I have is syslog records.
So I guess the question is: If pfSense is generating a log record per connection, why does it not start rejecting them once the rate limit is reached?
-
Thanks for the reply.
I assume that a browser setting up 20-30 connections would doing so because it found content or links to pull from the server using additional, separate connections. Very unlikely to be the case on my content-poor blog :)
Even at an average 1.1 connections per second, that would be more than 6 times my maximum (10) connections over the 60 second period.
Unfortunately these hits have all taken place in the middle of my night so the only evidence I have is syslog records.
So I guess the question is: If pfSense is generating a log record per connection, why does it not start rejecting them once the rate limit is reached?
Even if it happened in the middle of the night, if it's these "stale" states, I use the term loosely, then you should still see these states in the state list in the morning.
Like you said, a content light blog probably won't use many connections, especially since the browser can only use more connections for non-dependent data, but that is an assumption. If a connection got blocked, the client may need to wait the entire duration of a TCP timeout before the blog loads the rest of the way. Depends on the browser implementation.