Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    UDP DDoS protection with pfSense

    Firewalling
    14
    51
    14309
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bilal91 last edited by

      Hey everyone,

      Yesterday i faced a very large ddos attack which resulted in a null route from my ISP, I asked them to open it but the ddos was still going on so they null routed my ip again, I have a very sensitive business which needs 100% up time,

      So.. I have a fiber line, which I have 5 IPs on, one of the ip is the main server which was under the attack, i have been browsing since yesterday for the solutions and i found online to go with pfSense, i saw many people mitigating attacks with it too, So I myself installed it on a machine, I also bought a stresser (ddoser) available online to test for ddos

      Lets say im protecting my main ip that is : 1.1.1.1

      I gave my wan ip 1.1.1.1 and local is w/e i attached it with the main server for local

      So far so good, i set up a rule to block all the incoming UDP packets

      I tested it with stresser on wan ip 1.1.1.1 , my server went down in 1 sec,

      What i can't clear from my concepts is how can a firewall work when all those packets reach the network already, the network can't really handle it so how can a firewall work? only thing i can think of is blocking them somehow before those packets even reach my firewall machine

      Am i right? If so how is that possible?

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        Not sure what you were reading but you are correct you can not stop a ddos with a firewall at the end point of the attack..  If they fill up your pipe does not matter what the firewall does with the packet, be it drop it or allow it.  The pipe is full its too late.

        Allow your pipe to have traffic flow means the traffic has to be stopped before it heads down your pipe.

        If the type of attack was say using something on your end in an amplification sort of attack where they are sending you stuff and for whatever reason your answering it and causing massive upload, or for your server to be overloaded then sure fw at your end could be used to make sure those packets causing the amplification just get dropped and or not sent to your server.  But if the attack is filling up your pipe on its way too you - there is nothing that can be done at your end other than getting a fatter pipe, or changing IP.

        Now if your old fw was not able to handle the traffic even if not filling up your pipe, then sure a better firewall that can handle the traffic could allow you to ride out the storm if you will.

        But in general with a ddos sending massive amounts of traffic your way, your ISP needs to head off the traffic before it gets sent down your pipe.

        1 Reply Last reply Reply Quote 0
        • B
          bilal91 last edited by

          @johnpoz:

          Not sure what you were reading but you are correct you can not stop a ddos with a firewall at the end point of the attack..  If they fill up your pipe does not matter what the firewall does with the packet, be it drop it or allow it.  The pipe is full its too late.

          Allow your pipe to have traffic flow means the traffic has to be stopped before it heads down your pipe.

          If the type of attack was say using something on your end in an amplification sort of attack where they are sending you stuff and for whatever reason your answering it and causing massive upload, or for your server to be overloaded then sure fw at your end could be used to make sure those packets causing the amplification just get dropped and or not sent to your server.  But if the attack is filling up your pipe on its way too you - there is nothing that can be done at your end other than getting a fatter pipe, or changing IP.

          Now if your old fw was not able to handle the traffic even if not filling up your pipe, then sure a better firewall that can handle the traffic could allow you to ride out the storm if you will.

          But in general with a ddos sending massive amounts of traffic your way, your ISP needs to head off the traffic before it gets sent down your pipe.

          Its a 10gb attack i cant get that big bandwidth here. and as your question my server does not respond to those, just drops them

          is there any way to block the attacks before it comes to my network without filling it?

          in my case i have a fiber line connected through media converter and an Ethernet wire from media converter goes to switch from where all the servers get their public static ip, maybe some way to plug that main media converter Ethernet wire into firewall, but then what will be its wan ip? so confusing! There must be a way though, (ISP don't give a damn, all they do it null route my ip)

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            "is there any way to block the attacks before it comes to my network without filling it?"

            Yes you need your ISP to do that..  Or you need to change your IP.. But most likely if deliberate attack they will figure out your IP changed and just start hitting your new one.

            And NO there is nothing you can do if your pipe is full at your end..

            You can look into a company like Radware..  They have some stuff that diverts the traffic to their cloud stuff if your pipe is being saturated.  Sorry but there is just nothing you can do with a firewall to stop a FULL PIPE attack against you be it from 1 single IP on the internet or hundreds or thousands of them.. I your pipe is full its full.. Think of it as say a beer bong that is can deliver 1 beer in 30 seconds to you..  If someone wants to pour 12 beers a second into your bong – what are you going to do at your end?  When its overflowing at the funnel at the top already??

            If they are pouring beer into the bong on the 2nd floor of the dorm so fast its overflowing the funnel and you just have it pouring onto the ground at this point, other than having them poor the beer slower (isp) what can you do.

            1 Reply Last reply Reply Quote 0
            • B
              bilal91 last edited by

              @johnpoz:

              "is there any way to block the attacks before it comes to my network without filling it?"

              Yes you need your ISP to do that..  Or you need to change your IP.. But most likely if deliberate attack they will figure out your IP changed and just start hitting your new one.

              And NO there is nothing you can do if your pipe is full at your end..

              You can look into a company like Radware..  They have some stuff that diverts the traffic to their cloud stuff if your pipe is being saturated.  Sorry but there is just nothing you can do with a firewall to stop a FULL PIPE attack against you be it from 1 single IP on the internet or hundreds or thousands of them.. I your pipe is full its full.. Think of it as say a beer bong that is can deliver 1 beer in 30 seconds to you..  If someone wants to pour 12 beers a second into your bong – what are you going to do at your end?  When its overflowing at the funnel at the top already??

              If they are pouring beer into the bong on the 2nd floor of the dorm so fast its overflowing the funnel and you just have it pouring onto the ground at this point, other than having them poor the beer slower (isp) what can you do.

              Thank you for the detailed answer :)

              1 Reply Last reply Reply Quote 0
              • ?
                Guest last edited by

                Its a 10gb attack i cant get that big bandwidth here. and as your question my server does not respond to those, just drops them

                And if you will get 10 GBit/s at the WAN and they attack you with 300 GBit/s you will loose again!

                is there any way to block the attacks before it comes to my network without filling it?

                Your ISP or your hoster would be setting up a device or service in front of your IP address.

                in my case i have a fiber line connected through media converter and an Ethernet wire from media converter goes to switch from where all the servers get their public static ip,

                Without SPI/NAT or Firewall and rules you are attaching servers to the Internet???

                maybe some way to plug that main media converter Ethernet wire into firewall,

                Would be a more secure solution as before you goes.

                but then what will be its wan ip? so confusing!

                The one you enter in the WAN menu.

                There must be a way though, (ISP don't give a damn, all they do it null route my ip)

                Perhaps he can´t do anything? There are some devices that can be placed in front of your business
                Internet connection but they are often very expensive and there are also some services that can be
                hired or rent to take the DDoS load from the line but also mostly very expensive.

                The Corero IPS 5500 ES-Series would be one of this devices you could try to place in front of your
                firewall and then you would be back in game. Corero SmartWall

                Corero is using hardware from Tilera, based on so called many Core CPUs and this is purely not cheap.

                1 Reply Last reply Reply Quote 0
                • johnpoz
                  johnpoz LAYER 8 Global Moderator last edited by

                  And does not matter if you put a Super Computer box at the end of the pipe that can simulate the weather of the Planet for 100 years in 10 microseconds..  If the pipe is full the pipe is full!  Sorry end of story..  As you mentioned there are services to direct your traffic through them, they filter it on very LARGE PIPES so the small pipe to you is clear and only non ddos traffic goes down it..

                  Sorry there is no magic box you put at your location that stops a ddos from filling up your pipe to the internet.  If that pipe is full it is FULL, the only fix is to stop the traffic before it gets to your pipe.  That is done at the ISP layer.

                  1 Reply Last reply Reply Quote 0
                  • ?
                    Guest last edited by

                    And does not matter if you put a Super Computer box at the end of the pipe that can simulate the weather of the Planet for 100 years in 10 microseconds..

                    In the front or in the middle nut no one was talking about the end!
                    The SmartWall series is more tended to enterprise and pro clients, from 1 GBit/s - 10 GBit/s, ~40 GBit/s
                    and up to 160  GBit/s. And the Corero IPS 5500 ES-Series would be more for really big companies or
                    ISPs that can be setting up the box then between his clients and the Internet.

                    If the pipe is full the pipe is full!  Sorry end of story..

                    The pipe will not be able to be filled, because the device is acting as a filter in front of your network either installed on the ISP side or yours!
                    ISP side:
                    Internet –- ISP --- Corero IPS --- Client --- his firewall ---- his servers
                    Client side:
                    Internet --- ISP --- Client --- Corero SmartWall --- his firewall --- his servers

                    As you mentioned there are services to direct your traffic through them, they filter it on very
                    LARGE PIPES so the small pipe to you is clear and only non ddos traffic goes down it..

                    This is right so we are talking about three versions now!

                    • Your ISP is placing such a device before the traffic is coming through his network to yours
                    • You place such a device in front of your network (your firewall) to filter it
                    • You or your ISP is able to rent such a service from somebody who is offering this.
                      But the services mostly are for much more GBit/s traffic then this devices are able to handle.
                      Perhaps we are talking then about >300 GBit/s of those attack traffic.

                    Sorry there is no magic box you put at your location that stops a ddos from filling up your pipe to the internet.

                    Why sorry? You trust this box or not! And here are two of them.
                    Corero SmartWall
                    Corero IPS 5500 ES-Series

                    If that pipe is full it is FULL, the only fix is to stop the traffic before it gets to your pipe.  That is done at the ISP layer.

                    What prevents you from the installing of a device in front of your pfSense or plain firewall?
                    So yes, when your ISP is offering such a service and is willing to set up on his side such devices
                    for his clients for sure it could be done, but if not you are also able to set up a "box" in front of
                    your pfSense if you have the money or your ISP is not willing to do so.

                    1 Reply Last reply Reply Quote 0
                    • N
                      Nullity last edited by

                      Once traffic has saturated a clients pipe, there is nothing the client can do. You cannot unsend traffic. The ISP must intervene upstream.

                      1 Reply Last reply Reply Quote 0
                      • N
                        NOYB last edited by

                        @bilal91:

                        I have a very sensitive business which needs 100% up time,

                        Then, as mentioned by others, you probably need to hire a service to filter your traffic before it comes down the pipe from ISP to you.  Or if the ISP has the capability, get them to filter your traffic instead of just null routing.

                        I'm curious.  Do you have any inclination at all of who or the motive that is behind the attack?  Competitor, someone doesn't like you, disgruntled customer or employee, extortion, etc.?

                        1 Reply Last reply Reply Quote 0
                        • johnpoz
                          johnpoz LAYER 8 Global Moderator last edited by

                          "n the front or in the middle nut no one was talking about the end!"

                          Yeah dude we are talking about the END.. This poster can not put devices at his ISP connection…  Read what the OP is asking.. Sorry there is NO box you can put at the end of the pipe to stop the pipe from being full..

                          There is no magic.. If ISP sends you traffic that fills your pipe is FULL there is nothing your end can do about it.. No magic box to fix it..  Be it pfsense firewall, or some 1 Million Dollar super firewall..  Now what you can do is have a box on your end that detects the ddos and adjust routes upstream, etc.  Look into radware I mentioned.

                          Why don't you read a bit about that smartwall your touting and where it gets placed.. It sure and the F is not placed at the end of the pipe..  Those devices are for host providers, ISPs or LARGE enterprises to put in their cores..  They are not something a end user small company buys that they place at their location.

                          1 Reply Last reply Reply Quote 0
                          • ?
                            Guest last edited by

                            So a used or refurbished device that was announced for sale I´ve seen, was not $2.500 which could
                            be a fair price to get rid of this DDoS attacks also for smaller but very busy companies as I thought it
                            would be a really good deal.  ::)

                            Real world Prices:

                            • Corero IPS 5500 ES-Series is starting at ~$25.000,00  :-[
                            • Corero SmartWall middle till large devices (40 GBit/s) is starting at ~$250.000,00  :-[

                            Ok this devices would be doing the job, but only for Enterprise companies and middle or larger ISPs.  ::)
                            For sure you were right johnpoz.

                            Also the A10 Thunder TPS Series is starting at ~$195.449,00 so preventing from DDoS would be
                            a super game but only for big players as i see it right. And trust me this boxes must be working!
                            Akamai.net was spending nearly ~$370.000.000,00 for hardware and equipment to handle proper
                            those DDoS attacks.

                            1 Reply Last reply Reply Quote 0
                            • N
                              Nullity last edited by

                              @johnpoz:

                              …
                              There is no magic..
                              ...

                              lol

                              Those damn "DDoS defenderers" … what do they do, aside from being exclusive and expensive? Do thsy employ quantum entanglement or Cat7 Mobius cables?

                              1 Reply Last reply Reply Quote 0
                              • H
                                hda last edited by

                                Nah not CAT-7 QE Mob quality, they cooperate for a business model ;) Akamai's costs will be billed to layer-8.

                                1 Reply Last reply Reply Quote 0
                                • johnpoz
                                  johnpoz LAYER 8 Global Moderator last edited by

                                  What I would like to know is what the OP was reading that pointed him to pfsense mitigating attacks?

                                  "i found online to go with pfSense, i saw many people mitigating attacks with it too"

                                  There are lots of threads here asking the same thing - and they always get the same answer, you can not stop a DDOS with a firewall..  So either he was not reading the full thread/article or misread the information?

                                  If the OP business is so critical and of nature that ddos is of concern, they need to host services out of location that you can protect against it, not at your location at the end of a fiber connection provided by an ISP that doesn't provide any sort of ddos mitigation services.  And from the sounds of it - not even a firewall??

                                  This is the scary part
                                  "maybe some way to plug that main media converter Ethernet wire into firewall, but then what will be its wan ip? so confusing!"

                                  How is this guy running a company based upon providing services connected to the internet?? I just don't get it…

                                  1 Reply Last reply Reply Quote 0
                                  • Gertjan
                                    Gertjan last edited by

                                    Running a "very sensitive business" from 'home' ??
                                    I don't know what 'sensitive' is, but I would run any serious (critical) business from a serious server, placed on a 'serious' spot, like a good data center.
                                    If you use a good host, think about putting another serious 'tool' in front of it, like CloudFare (just to name one).

                                    I know my 'hosting company' eats 500 Gbits DDOS like cake so I never needed 'ClouldFare', or comparable, services.
                                    Putting yourself behind ONE incoming without protection upfront just offers you one solution : they null-route you to protect their own (== ISP) network.

                                    1 Reply Last reply Reply Quote 0
                                    • H
                                      Harvy66 last edited by

                                      Well should all know that any attack that consumes all of your bandwidth is impossible to stop at the edge, so lets rephrase the question to something useful and remove bandwidth from the equation. If one had an infinite amount of bandwidth, how well would PFSense hold up to a DDOS?

                                      1 Reply Last reply Reply Quote 0
                                      • Gertjan
                                        Gertjan last edited by

                                        @Harvy66:

                                        …. If one had an infinite amount of bandwidth, how well would PFSense hold up to a DDOS?

                                        Using this one or this one ? ;)
                                        I guess the question will narrow down about how FreeBSD 10.x acts when DDOSed.
                                        The firewall pf being used is  the one present in the native FreeBSD (probably with some advancements, thought).

                                        I understand your question, but you will probably find a final answer like "the role of a a router / firewall device in front of a LAN" isn't 'eating ddos'.

                                        1 Reply Last reply Reply Quote 0
                                        • H
                                          Harvy66 last edited by

                                          In theory the limiting factor should be PPS. FreeBSD and PFSense both have some ambitious goals to allow line rate 40Gb stateful packet filtering, and even beyond. If you don't have the bandwidth, then you absolutely have to have a 3rd party service.

                                          1 Reply Last reply Reply Quote 0
                                          • N
                                            NOYB last edited by

                                            @Gertjan:

                                            Running a "very sensitive business" from 'home' ??

                                            Didn't see where the OPer said anything about running business from home.  Did I miss that?

                                            1 Reply Last reply Reply Quote 0
                                            • D
                                              doktornotor Banned last edited by

                                              None. pfSense is not a place to protect from DDoS. (And someone kindly lock this, the previous 50+ pages shit was just enough.)

                                              1 Reply Last reply Reply Quote 0
                                              • N
                                                NOYB last edited by

                                                @doktornotor:

                                                None. pfSense is not a place to protect from DDoS. (And someone kindly lock this, the previous 50+ pages shit was just enough.)

                                                Is someone forcing you to read and respond?  Web forums in this regard are somewhat like TV where you have control of the on/off switch and channel.  The big difference is that the content is user generated.  But the viewing and responding is still under your control.

                                                I like hearing what people have to say…  so long as it is respectfully communicated and I can turn it off at will.  Why should others be denied due to your own lack of discipline over the on/off switch?

                                                1 Reply Last reply Reply Quote 0
                                                • H
                                                  Harvy66 last edited by

                                                  @doktornotor:

                                                  None. pfSense is not a place to protect from DDoS. (And someone kindly lock this, the previous 50+ pages shit was just enough.)

                                                  I guess a better question is how many PPS of blocked or new state traffic should we expect PFSense to handle given a modern quad or octal core CPU. I know there is a line rate initiative for PFSense for 40Gb+ rates that is probably 3+ years off, no doubt some of that needs many of the upcoming FreeBSD network stack SMP improvements. Some really cool stuff coming that should allow FreeBSD to scale near linearly with cores.

                                                  1 Reply Last reply Reply Quote 0
                                                  • ?
                                                    Guest last edited by

                                                    @doktornotor

                                                    (And someone kindly lock this, the previous 50+ pages shit was just enough.)

                                                    On one side I am with you, that a closed and locked thread should be not warmed up or onyl
                                                    tiny pushed to another on and then goes on without taking advantage from the admin´s advice.

                                                    But mostly this also is owed to the owed kind and taken manner a thread goes or will be going.
                                                    Also the style and way the thread is lead will be a respectful point to watch out.

                                                    @NOYB
                                                    I consider but then also not falling back to the way the last thread about this theme was running.

                                                    @Harvy66
                                                    If the big players in this game are using extra or special hardware, mostly or often based on the
                                                    Tilera many core cpu´s (Tile-GX) why thinking it can be done in other cases with software only?
                                                    Lanner is offering a bigger appliance like the FW-889x and a NCS-MTX401 add in card and on
                                                    this card it can be installed and running a SMP Linux that is able to offload 20 GBit/s - 40 GBit/s
                                                    packet processing related to the kind of work for sure, likes DPI, IDS/IPS, VPN crypto stuff.

                                                    So FreeBSD and/or pfSense are nor really involved in this game and can be easily native installed on those
                                                    machines or as one or more in a VM on a host like this, but owed to the fiber bypass mode, it is able to
                                                    sort out many traffic likes a synflood or DoS/DDoS attack. And yes for sure there a many other PCIe cards
                                                    out from Tilera that can be installed in ordinary existing server running pfSense.

                                                    But the real clou will be, that we are able to pay for such cards, but not really for the devices named some
                                                    posts above from me. It can be a real show-stopper to the bigger sold devices because FreeBSD must not
                                                    be touched really, the working SMP Linux is installed and homed on the cards NAND flash memory.

                                                    And the C2758, XG-1540 or following appliances would bea ble to hold one PCIe card as I see it right.
                                                    So I thing DDoS atacks could be also mitigated from 1 GBit/s to xx GBit/s.
                                                    Tilera EZ cards

                                                    1 Reply Last reply Reply Quote 0
                                                    • H
                                                      Harvy66 last edited by

                                                      An overly simplified say to look at it is how many cycles per packet are spent. If I have a 3ghz quad core cpu, that's 12ghz of peak processing power. If you assume a large 1,000 cycles per packet (proof of concept can get it as low as 100 cycles per packet), that leaves you with 12M-pps.

                                                      Ideally with breathing room, my quad core should be able to handle near line rate of 10Gb/s 64byte packets(half-duplex). Of course life isn't this simple. We have context switches, data bouncing between cores, complex routing, a bunch of firewall rules a user made, and a host of other reasons that need to be ironed out.

                                                      When I saw my computer crapping out with 30K-pps, that places the computational load around 400K cycles per packet, or 400x worse than my 10x above simple real world placing the current system somewhere between 400x and 4000x slower than it could be. That's a lot of room for optimizations.

                                                      All I'm saying, don't say it can't be done, it just requires a lot of the work that is already being talked about. The netmap people showed a single core 900mhz CPU doing line rate 10Gb/s with a very simple single entry route and no firewall, and that was being handled in userland, not the kernel, so it could be even faster. I can't wait for 3 years from now, I expect FreeBSD to be in a very good place with network performance.

                                                      1 Reply Last reply Reply Quote 0
                                                      • N
                                                        NOYB last edited by

                                                        I always thought it backwards from a performance perspective for the firewall to be post NAT.  burning cycles NATing a bunch of traffic that is just going to be blocked anyway seems to be inefficient.

                                                        1 Reply Last reply Reply Quote 0
                                                        • M
                                                          mer last edited by

                                                          @NOYB:

                                                          I always thought it backwards from a performance perspective for the firewall to be post NAT.  burning cycles NATing a bunch of traffic that is just going to be blocked anyway seems to be inefficient.

                                                          That is an interesting POV. (thinking out loud here)  Perhaps it depends on "what NAT" is involved.  Inbound NAT/redirect;  yes that makes a lot of sense to look at firewall first, but if the inbound traffic doesn't match any redirect/NAT rules then it doesn't really get NATted, does it?  Responses to outbound traffic that was NATted should be a lookup and simple state match, no?  Maybe firewall block rules, on the external interface, based on source information or dest port could actually be done prior to NAT.  Like if you are not running a webserver, "block in on $ext_if dest port 80" run before any NAT or redir would make sense.

                                                          In a "typical" NAT environment (most home users, maybe SOHO use), inbound traffic is related to traffic that originated behind the NAT so NAT before state checking is needed.

                                                          Maybe we also need to think about what happens when a packet is NATted or redirected too.  How much of the packet gets rewritten, what checksums need to get updated, is the checksum offloaded?

                                                          1 Reply Last reply Reply Quote 0
                                                          • ?
                                                            Guest last edited by

                                                            inbound traffic is related to traffic that originated behind the NAT so NAT before state checking is needed.

                                                            Thats the point I want to come closer to. If those traffic is generated to the outside, likes open a webpage,
                                                            the connection is placed in a connection table, if now the TCP/IP packets are coming back and wan to be
                                                            forwarded to the PC or machine hwo was calling for, the NAT process, must have a look in this connection
                                                            table if there is an opened connection entry in this table and then it will be forwarded to the PC or will be
                                                            dropped. OK for sure this can also be done native by the pfSense without such a card for sure, but if there
                                                            is then one or more opened ports, for the servers in the DMZ, it perhaps comes to the point where the pipe
                                                            gets rendered and only for this those cards I thought would be fine to do the job, proofing and dropping or
                                                            forward them.

                                                            And this is in my poor opinion the exactly point which is totally different each from other!

                                                            • The home or consumer grade SPI/NAT is doing something like the following:
                                                              Deny all and then have a look in the connection table for an open connection from inside
                                                              So it is wanted that all packets are staying outside.
                                                            • But the SPI/NAT way from the pfSense is doing it in the total turned around direction as I see
                                                              it right, please correct me if I am wrong with this!
                                                              Let them (TCP/IP packets) all in for inspect them by one or more rules
                                                              So the many packets from an attack are able to get in and render or filling the pipe and nothing more goes.
                                                            1 Reply Last reply Reply Quote 0
                                                            • B
                                                              bilal91 last edited by

                                                              @NOYB:

                                                              @bilal91:

                                                              I have a very sensitive business which needs 100% up time,

                                                              Then, as mentioned by others, you probably need to hire a service to filter your traffic before it comes down the pipe from ISP to you.  Or if the ISP has the capability, get them to filter your traffic instead of just null routing.

                                                              I'm curious.  Do you have any inclination at all of who or the motive that is behind the attack?  Competitor, someone doesn't like you, disgruntled customer or employee, extortion, etc.?

                                                              Yup its a possible competitor that's for sure :)

                                                              1 Reply Last reply Reply Quote 0
                                                              • B
                                                                bilal91 last edited by

                                                                @johnpoz:

                                                                What I would like to know is what the OP was reading that pointed him to pfsense mitigating attacks?

                                                                "i found online to go with pfSense, i saw many people mitigating attacks with it too"

                                                                There are lots of threads here asking the same thing - and they always get the same answer, you can not stop a DDOS with a firewall..  So either he was not reading the full thread/article or misread the information?

                                                                If the OP business is so critical and of nature that ddos is of concern, they need to host services out of location that you can protect against it, not at your location at the end of a fiber connection provided by an ISP that doesn't provide any sort of ddos mitigation services.  And from the sounds of it - not even a firewall??

                                                                This is the scary part
                                                                "maybe some way to plug that main media converter Ethernet wire into firewall, but then what will be its wan ip? so confusing!"

                                                                How is this guy running a company based upon providing services connected to the internet?? I just don't get it…

                                                                Its a car tracking company, the data for cars comes in all the time, so yeah its a service connected to internet.

                                                                I read it somewhere but i knew software firewalls can't do it so i just wanted to clear it myself asking here to prove everyone whose saying they can stop UDP or Amp attacks with pfSense alone, i knew its impossible but i never saw someone denying it as in my knowledge and as in your knowledge. So things are clear now :)

                                                                And you're right some ISPs just suck and don't care to provide security to their end users, renting 6 dedicated servers were being a bit expensive for me so I didn't go online, but i guess I'll have no other choice in future if this continues, many online hosters will atleast provide you ddos solutions.

                                                                1 Reply Last reply Reply Quote 0
                                                                • B
                                                                  bilal91 last edited by

                                                                  @Gertjan:

                                                                  Running a "very sensitive business" from 'home' ??
                                                                  I don't know what 'sensitive' is, but I would run any serious (critical) business from a serious server, placed on a 'serious' spot, like a good data center.
                                                                  If you use a good host, think about putting another serious 'tool' in front of it, like CloudFare (just to name one).

                                                                  I know my 'hosting company' eats 500 Gbits DDOS like cake so I never needed 'ClouldFare', or comparable, services.
                                                                  Putting yourself behind ONE incoming without protection upfront just offers you one solution : they null-route you to protect their own (== ISP) network.

                                                                  Did I say I'm running it from home? Sorry if i sounded that way but ..  I have a business place with my own dedicated servers, I currently have 6 servers running, renting them is a lot expensive then the price i got them here (but i think i will switch to online if this continues as most data centers provide ddos solutions), and you're right ISPs mostly just null routes you thats the sad part.

                                                                  1 Reply Last reply Reply Quote 0
                                                                  • B
                                                                    bilal91 last edited by

                                                                    @NOYB:

                                                                    @Gertjan:

                                                                    Running a "very sensitive business" from 'home' ??

                                                                    Didn't see where the OPer said anything about running business from home.  Did I miss that?

                                                                    You're right I never said that! lol

                                                                    1 Reply Last reply Reply Quote 0
                                                                    • B
                                                                      bilal91 last edited by

                                                                      @BlueKobold:

                                                                      Its a 10gb attack i cant get that big bandwidth here. and as your question my server does not respond to those, just drops them

                                                                      And if you will get 10 GBit/s at the WAN and they attack you with 300 GBit/s you will loose again!

                                                                      is there any way to block the attacks before it comes to my network without filling it?

                                                                      Your ISP or your hoster would be setting up a device or service in front of your IP address.

                                                                      in my case i have a fiber line connected through media converter and an Ethernet wire from media converter goes to switch from where all the servers get their public static ip,

                                                                      Without SPI/NAT or Firewall and rules you are attaching servers to the Internet???

                                                                      maybe some way to plug that main media converter Ethernet wire into firewall,

                                                                      Would be a more secure solution as before you goes.

                                                                      but then what will be its wan ip? so confusing!

                                                                      The one you enter in the WAN menu.

                                                                      There must be a way though, (ISP don't give a damn, all they do it null route my ip)

                                                                      Perhaps he can´t do anything? There are some devices that can be placed in front of your business
                                                                      Internet connection but they are often very expensive and there are also some services that can be
                                                                      hired or rent to take the DDoS load from the line but also mostly very expensive.

                                                                      The Corero IPS 5500 ES-Series would be one of this devices you could try to place in front of your
                                                                      firewall and then you would be back in game. Corero SmartWall

                                                                      Corero is using hardware from Tilera, based on so called many Core CPUs and this is purely not cheap.

                                                                      Thanks for the detailed explanation! One question though that how does Hardware limit the rate? if the ddos is landing to my Corero SmartWall or whatever i device i use, won't it be the same as it landing on the firewall machine, because once it lands to me my bandwidth will be filled up again.

                                                                      1 Reply Last reply Reply Quote 0
                                                                      • M
                                                                        mer last edited by

                                                                        @BlueKobold:

                                                                        inbound traffic is related to traffic that originated behind the NAT so NAT before state checking is needed.

                                                                        And this is in my poor opinion the exactly point which is totally different each from other!

                                                                        • The home or consumer grade SPI/NAT is doing something like the following:
                                                                          Deny all and then have a look in the connection table for an open connection from inside
                                                                          So it is wanted that all packets are staying outside.
                                                                        • But the SPI/NAT way from the pfSense is doing it in the total turned around direction as I see
                                                                          it right, please correct me if I am wrong with this!
                                                                          Let them (TCP/IP packets) all in for inspect them by one or more rules
                                                                          So the many packets from an attack are able to get in and render or filling the pipe and nothing more goes.

                                                                        Frank, interesting thoughts.  I don't know if I'm wrong or you are or we both are, but this is becoming interesting.

                                                                        So we have traffic from LAN side a.b.c.d:123456 destined for 1.2.3.4:80, with NAT enabled WAN is J.K.L.M, so NAT rewrites it to be sourced from J.K.L.M:987653.  The return traffic is from 1.2.3.4, to J.K.L.M.  Does pfSense translate/rewrite the packet to be to a.b.c.d:123456 and then look in the firewall rules?  I'm not 100% sure, but the documentation I've read at least implies that.

                                                                        Take a Linksys 54G doing similar function of NAT with stateful firewall.  Does the return traffic get rewritten and then firewall rules applied?  I don't know, but I think it should.  The firewall state table should have the outbound packet with LAN address/port, NAT does the rewrite before it leaves on the WAN interface.  To me that means the return traffic must be "de-NATted" before you look at the firewall state tables.

                                                                        Any return traffic would have destaddr in the packet to be the WAN interface;  NAT would have a lookup of WAN/port matching LAN/port2 in the table. 
                                                                        I don't think the simple lookup should be an issue, even at high inbound PPS.  I think what becomes more of an issue is what happens when you get a match;  you need to rewrite pieces of the packet (dest MAC, dest IP, dest port, one or two checksums) before passing the packet on.  That takes resources and time.  If checksumming is offloaded, then there is the potential for a context switch to get the modified packet back into the stack.

                                                                        I guess it's time to start sticking my nose into pf implementation on FreeBSD.

                                                                        mike

                                                                        1 Reply Last reply Reply Quote 0
                                                                        • ?
                                                                          Guest last edited by

                                                                          One question though that how does Hardware limit the rate?

                                                                          That is what i have found on the Internet over those game play, but I really
                                                                          know that absolutely no one will talk about the really work flow, that is called
                                                                          security by obscurity I think. (Pictures: DDoS attacks Layer of defense & DME/Multi Core CPU/SME)

                                                                          if the ddos is landing to my Corero SmartWall or whatever i device i use, won't it be the same as it landing on the firewall machine, because once it lands to me my bandwidth will be filled up again.

                                                                          At first and owed to the posts made by @johnpoz I was also thinking but then I found more and
                                                                          more network draws that would be telling other things, where such a device should be or must
                                                                          be placed. And this is not even the same point if we are talking about some or more different acting
                                                                          companies, likes ISPs, Data Centers or Webhosters. (Picture: Coreros ReputationWatch)

                                                                          because once it lands to me my bandwidth will be filled up again.

                                                                          The "device" is placed in front of the firewall and sort all bad things out and let only
                                                                          the clean traffic passing through to the firewall then.
                                                                          (Picture: DDoS attacks layer of defense & First line of defense)








                                                                          1 Reply Last reply Reply Quote 0
                                                                          • ?
                                                                            Guest last edited by

                                                                            Hello Mike,

                                                                            I am not a professional or something like this, but I am really interested in the theme and perhaps
                                                                            the end of this story or a solution that can be realized.

                                                                            I don't know if I'm wrong or you are or we both are, but this is becoming interesting.

                                                                            For sure this could all be, I am not a hardware engineer, code writer, pfSense core development
                                                                            member, pfSense expert or guru or a forum administrator, I am only interested in this theme and pfSense
                                                                            more or less. And if a full featured software based firewall such as pfSense is would not be albe to
                                                                            handle an attacks like this, but an ordinary lazy plastic home router for ~$100 is able to do, it
                                                                            becomes even more and more interesting for me, sorry to tell this so plain and naive, but it
                                                                            is like it is! Or come closer to this point, to find out what could be making the difference
                                                                            between them would be really interesting for me.

                                                                            I don't think the simple lookup should be an issue, even at high inbound PPS.

                                                                            And here the false is six feed under, with an lazy, tiny or very cheap ASIC/FPGA at this point
                                                                            it could be running likes hell, to sort this packets out, and for sure pfSense is not needing of
                                                                            this if we have a closer look at the most hardware we are talking here in the forum or the pfSense
                                                                            store is offering now. There are worlds between them (home router & SG-xxx units).

                                                                            And I really think the NAT mechanism is more less then a difficult or tricky way.
                                                                            Client A is opening behind the NAT a web page this data would be pulled
                                                                            from the outside and to the Client behind the NAT and will be forwarded, all other
                                                                            coming from outside will be dropped. Something really tiny and lazy it must be in
                                                                            my eyes. And for sure I know that I am jumping now in an open shark mouth but
                                                                            could it be that this version of doing NAT will be able to find its way inside of the
                                                                            code from FreeBSD or pfSense only perhaps? Please remember I am no code writer
                                                                            and developer, I don´t know anything about this and what other code or functions
                                                                            on top will be affected by setting this version of up and for sure not as a replacement
                                                                            for the actual NAT version or doing!!! Only perhaps as a so called drop down menu
                                                                            variant where the users or customers are able to chose what kind of NAT version
                                                                            they want to use, if this could be done. I really know some peoples they are aware
                                                                            from this and don´t want this really since years, and for sure they are all knowing
                                                                            why and why not, not likes me as a noob and beginner, but perhaps this is making
                                                                            the difference in thinking of those cases.

                                                                            Because in my opinion, after this SPI and NAT process the firewall rules must also
                                                                            only inspecting then the passing NAT traffic and not all packets that are arriving,
                                                                            and for sure also the snort or suricata rules.

                                                                            I really don´t know if I am now misleading others or running in a so called hamster
                                                                            wheel or that I am a prisoner of my own mind, I am only interested in to understand
                                                                            this point, why a server grade hardware based firewall is not able and a lazy
                                                                            ~$100 home is able to do so.

                                                                            1 Reply Last reply Reply Quote 0
                                                                            • C
                                                                              cmb last edited by

                                                                              @bilal91:

                                                                              Thanks for the detailed explanation! One question though that how does Hardware limit the rate? if the ddos is landing to my Corero SmartWall or whatever i device i use, won't it be the same as it landing on the firewall machine, because once it lands to me my bandwidth will be filled up again.

                                                                              It's not possible to do anything on your end of the line to stop the typical UDP flood DDoS, because those are bandwidth exhaustion attacks (usually DNS or NTP amplification). It's too late by the time it gets to you, you can't change the fact your connection is flooded. Your ISP has to stop it before it reaches your connection.

                                                                              Where boxes like that can be useful are attacks like large scale SYN floods that go beyond what any firewall can handle in new connections/sec, but aren't so large that they completely fill your Internet connection.

                                                                              @BlueKobold:

                                                                              And if a full featured software based firewall such as pfSense is would not be albe to
                                                                              handle an attacks like this, but an ordinary lazy plastic home router for ~$100 is able to do

                                                                              There is no circumstance in which a consumer grade router is better at handling DDoS. Consumer grade devices are extremely poorly suited for resource exhaustion attacks.

                                                                              1 Reply Last reply Reply Quote 0
                                                                              • chpalmer
                                                                                chpalmer last edited by

                                                                                why a server grade hardware based firewall is not able and a lazy
                                                                                ~$100 home is able to do so.

                                                                                I think you will find that many consumer grade devices don't even have anything close to what you would call a firewall.  All of my original devices were not.

                                                                                It's the very reason I looked up Monowall then soon after found pfSense.  You got one thing right-  lazy!

                                                                                1 Reply Last reply Reply Quote 0
                                                                                • S
                                                                                  Supermule Banned last edited by

                                                                                  You cannot use pfsense for DDoS protection.

                                                                                  You can still flood it with sub 10Mbit/s traffic and it dies.

                                                                                  Tested on 2.2.4 AMD64.

                                                                                  1 Reply Last reply Reply Quote 0
                                                                                  • D
                                                                                    doktornotor Banned last edited by

                                                                                    And here we go again, exactly as predicted… Yay.

                                                                                    1 Reply Last reply Reply Quote 0
                                                                                    • First post
                                                                                      Last post

                                                                                    Products

                                                                                    • Platform Overview
                                                                                    • TNSR
                                                                                    • pfSense
                                                                                    • Appliances

                                                                                    Services

                                                                                    • Training
                                                                                    • Professional Services

                                                                                    Support

                                                                                    • Subscription Plans
                                                                                    • Contact Support
                                                                                    • Product Lifecycle
                                                                                    • Documentation

                                                                                    News

                                                                                    • Media Coverage
                                                                                    • Press
                                                                                    • Events

                                                                                    Resources

                                                                                    • Blog
                                                                                    • FAQ
                                                                                    • Find a Partner
                                                                                    • Resource Library
                                                                                    • Security Information

                                                                                    Company

                                                                                    • About Us
                                                                                    • Careers
                                                                                    • Partners
                                                                                    • Contact Us
                                                                                    • Legal
                                                                                    Our Mission

                                                                                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                                                                    Subscribe to our Newsletter

                                                                                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                                                                    © 2021 Rubicon Communications, LLC | Privacy Policy