DDOS / SYN using udp.pl and hping3 testing
-
Hello,
so we have a pfsense box that we use for the BGP (we have 2 internet connections in BGP, each one with 200 Mbps bandwidth). Our upstream providers have some ddos / syn protections, they block hping3 and they filter ddos but not entirely. The good thing is that we can block a ./udp.pl attack from the pfsense box (adding a rule to block the attackers IP) and the ddos will not affect us, the problem is that we want to create a rule that will auto block any DDOS.
Any ideas on how can i do this with pfsense ? I have tried several rules on my lan (for testing) but no luck. I am flooding myself with ./udp.pl and hping3, for udp.pl i have tried the Maximum number of unique source hosts option and now the attack will show on the firewall log but pfsense is passing this traffic and not blocking it so i need some rule to block this.
For hping3 i have tried Maximum number of established connections per host (TCP only), Maximum new connections per host / per second(s) (TCP only) with synproxy state but it seems that all this will do nothing about the SYN flood, i can't even see the SYN in the firewall logs.. nothing.
Any sugestions on how to block this attacks automatically, maybe using Snort ?
Thank you !