Help me DDOS protection
-
Hello. Sorry if my English is bad
i need to protect my server
Attack on forward port UDP
I need Pfsense Block
my windows server 2008 run teamspekFirewall: NAT: Port Forward
Attack
wan don't block
come in on windows server
on lan windows server 2008
freezes because Attack -
Since you are forwarding a port range, are you by any chance using torrents on that windows server?
-
Probably the simplest approach would be to restrict the IP addresses allowed to access that port range. Go to Firewall: NAT: Port Forward, click on "Source" and enter the IP addresses which should be allowed access to your server.
https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense
https://doc.pfsense.org/index.php/Port_Forward_TroubleshootingA better option IMHO would be to set up a VPN for access.
https://doc.pfsense.org/index.php/VPN_Capability_OpenVPNIf you must allow all IP addresses to have access, I suppose you could shape the traffic to prevent it from overloading the internal server. And if so, you really probably want to enable some level of attack detection like Snort.
https://doc.pfsense.org/index.php/Traffic_Shaping_Guide
https://doc.pfsense.org/index.php/Setup_Snort_Package -
What are you trying to block exactly?
Most of that traffic is coming from your server, is it being used as part of a DDOS attack?Steve
-
my server run service teamspeak3 use udp port 9900-1100
teampeak is voice communication usingI can not determine the source
Because the use of multiple IP.My server no torrents
my pfsense with snort
UDP. can configure the maximum connections per IP?
Determine how much -
UDP. can configure the maximum connections per IP?
Determine how muchOther than traffic shaping, there are some settings that might help under Firewall: Rules: Edit: Advanced Options
"Maximum number of unique source hosts"
"Maximum state entries per host" -
UDP. can configure the maximum connections per IP?
Determine how muchOther than traffic shaping, there are some settings that might help under Firewall: Rules: Edit: Advanced Options
"Maximum number of unique source hosts"
"Maximum state entries per host"pfTop from my server
My config is this?
-
pfTop from my server
I'm not entirely sure this traffic is a DDOS or even an attack. I notice that many of the ports are not in the 9900-10000 range. To me, this looks more like active data transfer similar to what might be seen on a web or FTP or p2p server. I think it's a strong possibility that your the 192.168.23.77 server has been compromised. My next step would be to try to identify the exact source of the traffic. I would start by carefully looking at the Window 2008 server to make sure it hasn't been compromised and has been added to a bot net(s).
As a diagnostic test, try stopping the the teamspeak service on the W2008 server and see if the traffic persists or stops. It it persists, try disabling the NAT Port forward to that server, clear the pfSense states (Diagnostics: States: Reset States) and see if the traffic persists. If it does, then it is very likely that the W2008 server has been compromised.
You can mitigate a lot of the traffic by immediately putting a block rule on the LAN interface to restrict the ports allowed for 192.168.23.77.
The recommended Teamspeak ports are completely different from the port range you have enabled and those shown in pfTop: https://support.teamspeakusa.com/index.php?/Knowledgebase/Article/View/44/0/which-ports-does-the-teamspeak-3-server-use
-
Yep, I agree something looks very wrong here. What sort of DDoS attack do you think is happening here? Most of the traffic is coming from your server, if anything ddos related is happening it's your server doing the attacking.
Why so many ports open?Steve