I'm under attack?! What's it all about?

  • Good day all,

    Been happily using pfSense at home in the UK for some 6 months. With a fair amount of lurking here (tks to all the contributors) I have everything set up the way I want. Vlans, VPNs, DNS forwarding, scheduling etc etc.

    I have 3 VPNs clients setup in an indentical manner. All are from PureVPN and they work well. I generally use the NL one since this circumvents UK blocks and is very reliable and very fast (abt 30mb/15mb, 24/7). I also have a Denmark one setup as u can see from the logs but no client’s currently use it - it's just running as a backup in case the NL one dies in the middle of "the big game". A Firewall rule directs the traffic to whichever gateway depending on the IP address used by the client - this allows me to switch depending on what the client is doing. Seems to work perfectly. Here’s the firewall:

    BBBBUUUUUTTTTTT here’s my firewall log:

    It seems that the PURE_NL interface is under constant bombardment. This is obv just an excerpt, there’s on average abt 200 per minute - 24/7. I am no expert on this at all so I was wondering what all this blocked traffic really is - I assume its not friendly since many of the IPs appear on anti hacker blacklists and come from places that I have nothing to do with: Russia, Nigeria, China and surprisingly a huge percentage are from Canada. My questions are:

    1. Is this a problem with Pure and their Dutch VPN, bcos it doesn’t happen to the Denmark or UK gateways, or my ISP's gateway (Plusnet UK)
    2. Can I/Should I do anything about it?
    3. Should I tell Pure or is this kind of normal?
    4. Will this excessive traffic slow my network down at all - it doesn't seem to currently

    Tks in advance if anyone could enlighten me. Maybe this goes on all the time and it’s just that using pfSense makes it so easy to see what’s really going on? It's worrying me though.


  • The IP handed to you has probably been used by someone else. It's definitely not an "attack". Too slow and a very specific port. UDP traffic is just random ports, probably bittorrent.

  • LAYER 8 Global Moderator

    8621, is that where you see most of your hits?  is that a port you use for p2p or something.  I show it as

    EMC2 (Legato) Networker or Sun Solcitice Backup (Official)
    irdmi Web service, iTunes Radio streams

    You running either of those on it?

    There is lots of noise on the internet.  While 200 hits per minute isn't all that much, it is enough to draw attention?  Might want to look why its drawing traffic to it, maybe your IP was someone elses that was running either of those services or p2p on that port?  I don't see any hits to that port on mine.  Maybe you can check with your vpn provider about it.

  • Thanks very much guys. I waited till I posted here bcos I didn't want to make too much of a 'Richard' out of myself but seems I have ;(

    I am running a Bittorrent client on the PURE-NL interface and when I kill it, then the 'attacks' stop. The bittorrent client runs 24/7 and uses UPnP. I think I'll put it in a VLAN and open the correct ports to it - that should improve my torrenting and I won't have to worry about all that incoming traffic on a separate LAN.

    Cheers again - this and your countless other responses to others have been most helpful to me setting all this up.