[Removed]



  • [Removed]



  • You can't stop a DDoS attack with just one WAN and a router/firewall.  If that was the case, DDoS wouldn't be much of a problem for anyone anymore.  While the firewall can drop packets as fast as it can, a DDOs floods the interface with so much traffic that legitimate traffic is lost in the noise.  You need a heavy-duty load-balancing scheme of some kind to handle that.



  • Contact your upstream ISP and see if they will allow you to tell them IPs that should be added to their ACLs. Make sure you mention the first D in the DDoS. DoS only will not work. Handling those type of attacks is done as close to the source as possible. If you can get to the attacker's upstream ISP and they listen to you (extremely unlikely) they great. If not, your upstream is the next closest to the source.

    If neither the attacker's ISP nor your upstream are co-operating, then your only choice is to block the attacks on your perimeter firewalls. Nothing else you can do about it.



  • PFSense already "blocks" DOS attacks, what I assume is the issue is when it attempts to log all of those packets. Yes?



  • Seing a block appear in the logs means the packets were stopped. But the packets got to your router somehow, they didn't magically appear there. If enough packets are coming in, even if pfsense is blocking them, it could mean (depending on the size and type of the attack) that your network connection is exhausted. No harm was done "internally" but the entire network was unavailable from the outside.



  • @Carreswag:

    Hi, I'm new to pfsense and I couldn't really find anything on blocking ddos. I know people have used snort to help block ddos but I'm wondering how to limit the rate of incoming packets. For example, if there are 1000 incoming udp packets per second the IP address will be blocked for, let's say, 30 seconds. If anyone can help I would really appreciate that.

    You really need to read up on what a DDOS is.

    http://www.cisco.com/c/en/us/products/collateral/security/traffic-anomaly-detector-xt-5600a/prod_white_paper0900aecd8011e927.html

    or the pdf file which is much clearer  http://www.cisco.com/c/en/us/products/collateral/security/traffic-anomaly-detector-xt-5600a/prod_white_paper0900aecd8011e927.pdf

    Sure someone could attempt to help you here but most likely unless you looked up the definition of what you're talking about it's not going to click with you. Take 5 minutes out of your day to satisfy that curiosity and just read. Then come back here to see if your question might change or if you actually have a question at all. Knowledge is power.



  • I don't think you've listened to a single thing anyone here has said.  No, a single firewall/router is NOT going to mitigate any DDoS attacks.  Besides, what kind of DDoS attacks are you expecting to receive??  Are you a pretty big wheel down at the Cracker Factory or something?



  • pfSense should be able to handle 50 Mbps floods without any problem.  I use it in a VM to handle our 80/80Mbps link and it barely touches the CPU.



  • You don't have ot do anything.  The firewall will automatically drop anything not allowed by a rule.



  • @KOM:

    You don't have ot do anything.  The firewall will automatically drop anything not allowed by a rule.

    hi,
    ok, the firewall will drop anything not allowed, but can pfsense block this IPs after a while ?
    We know that Watchguard can do this.
    For the people knowing WG, we are looking for something like the WG "Default Packet Handling" stopping the Spoofing attacks, Drop Port Space Probes, Address Space Probes, ….
    Thanks for your answer



  • @atrocity:

    @KOM:

    You don't have ot do anything.  The firewall will automatically drop anything not allowed by a rule.

    hi,
    ok, the firewall will drop anything not allowed, but can pfsense block this IPs after a while ?
    We know that Watchguard can do this.
    For the people knowing WG, we are looking for something like the WG "Default Packet Handling" stopping the Spoofing attacks, Drop Port Space Probes, Address Space Probes, ….
    Thanks for your answer

    For a DOS attack, you can block an IP, which will not allow them to connect, but you'll get get the packets. Blocking packets does not make them go away, it just keeps them from establishing a connection.

    DDOS attacks or spoofed attacks are actually detrimental to block IPs. Since IPs are already spoofed or there are so many of them, you'll just DOS your own machine by making your block lists too large.



  • That still won't protect you from any kind of DDoS.  Nothing can protect you from DDoS other than global load-balancing.



  • The Watchguard crud isn't all it's cracked up to be. The "Drop spoofing attacks", "IP source route", and some others is all things we do by default and you can't turn off. The various flood attacks can either be done with the advanced options in firewall rules, and/or with Snort, but…

    @Carreswag:

    I just used snort and set some of the rules, like Maximum new connections / per seconds to 10/1, Just tested and it works.

    Until you get hit with an attack and Snort actually makes things worse by chewing up huge amounts of hardware resources dealing with the traffic. Max new connections/sec can help in preventing state table exhaustion. You're likely going to be knocked offline completely before any of that will matter though. Same with the Watchguard's "Default Packet Handling" options, that's marketing fluff more than anything useful against real DDoS attacks.