DDoS protection



  • Hello there  ;D

    (first of all, sorry for my english)

    i am permanently ddos attacked on a legitimate port used by one of my server (synflood),
    and i'm very tired of blocking manually all these ip !

    so my question is : does a software/package/plugin/addon/else exist and could it ban these ip for me automatically ?
    i've seen that i could limit the number of simultaneous connections in pfsense, but it does'nt seem to ban the ip…
    what i am looking for is something like "block this ip (add in block list) when more than 10 connections /s"

    please, is it possible in pfsense ? what do you think i should do ? do you have some useful links ?

    i have to say that i'm not an expert for installing apps in commandline, so if there are "easy" solutions that would be perfect (i am dreaming), but i am also openminded to all your suggestions !

    thanks   ::)



  • Maybe you could just change the statetype? (see attachment)

    Afaik there is no functionality to ban users automatically.




  • thank you for reply so quiclky  ;)

    yes ! you're right, it's already one thing i can do ! i didn't remember this option   :P
    (i'm not in front of pfsense right now, i will test)

    if this isn't enough, do you know a package or something that can help me ?
    in fact, in general, do you know what do admins use to protect a network from ddos attacks ?

    thanx.



  • In the firewallrules you can set limits like x connections per y time or maximum simultaneous connections per IP. It's hidden behind the advanced button when editing a rule. Besides that the snort package might be able to detect such attacks and blacklist these IPs (depending on the type of attack and if snort has a detection rule for it).



  • hello, and thx for suggestions  ;)

    i changed the state type as recommended by GruensFroeschli, it's now in "synproxy state" instead of "keep state"
    i also tried to change number of maximum new connections per second, and maximum state entries per host…

    but it didn't protect my server enough  :(

    so i looked around snort : it does exist some rules to fight against ddos (yeahhh) called "ddos.rules" and "dos.rules", but they seem to be only for particular cases and protocols :

    DDOS tfn2k icmp possible communication
    DDOS Trin00 Daemon to Master PONG message detected
    DDOS Trin00 Daemon to Master HELLO message detected

    and other things like this.

    it appears that i can edit these existant rules : i tried to change destination port, but that's not enough to make the rule detect the attack, and i can't create any new ones.

    Does someone know why ? do you know how i could use snort to protect my server ?

    i'm very sorry to insist like this, but i'm sure you know how ddos attacks are annoying  :'(
    thanx for help !



  • Hello,

    Please does someone have a solution (or an idea) to protect a network against ddos attacks ?
    (with pfsense or something else)



  • Have you tried contacting your ISP?



  • Hello Perry,

    I didn't try to contact them cause I don't think they will do anything…
    It is known that ISPs could block ddos attacks by simply filter spoofed IPs from their IP ranges, but they don't do anything, so...

    That's why I'm looking for a local solution, in order to manage such situations by myself anywhere I could be, but I'm still waiting for it  :P



  • A google search on " ddos protection +freebsd " turns up

    http://www.webhostingtalk.com/showthread.php?t=647542

    http://silverwraith.com/papers/freebsd-ddos.php

    Maybe not the solution your sicking but anyways a good read imo.


Log in to reply