UDP DDoS protection with pfSense

bilal91

Hey everyone,

Yesterday i faced a very large ddos attack which resulted in a null route from my ISP, I asked them to open it but the ddos was still going on so they null routed my ip again, I have a very sensitive business which needs 100% up time,

So.. I have a fiber line, which I have 5 IPs on, one of the ip is the main server which was under the attack, i have been browsing since yesterday for the solutions and i found online to go with pfSense, i saw many people mitigating attacks with it too, So I myself installed it on a machine, I also bought a stresser (ddoser) available online to test for ddos

Lets say im protecting my main ip that is : 1.1.1.1

I gave my wan ip 1.1.1.1 and local is w/e i attached it with the main server for local

So far so good, i set up a rule to block all the incoming UDP packets

I tested it with stresser on wan ip 1.1.1.1 , my server went down in 1 sec,

What i can't clear from my concepts is how can a firewall work when all those packets reach the network already, the network can't really handle it so how can a firewall work? only thing i can think of is blocking them somehow before those packets even reach my firewall machine

Am i right? If so how is that possible?

johnpoz

Not sure what you were reading but you are correct you can not stop a ddos with a firewall at the end point of the attack.. If they fill up your pipe does not matter what the firewall does with the packet, be it drop it or allow it. The pipe is full its too late.

Allow your pipe to have traffic flow means the traffic has to be stopped before it heads down your pipe.

If the type of attack was say using something on your end in an amplification sort of attack where they are sending you stuff and for whatever reason your answering it and causing massive upload, or for your server to be overloaded then sure fw at your end could be used to make sure those packets causing the amplification just get dropped and or not sent to your server. But if the attack is filling up your pipe on its way too you - there is nothing that can be done at your end other than getting a fatter pipe, or changing IP.

Now if your old fw was not able to handle the traffic even if not filling up your pipe, then sure a better firewall that can handle the traffic could allow you to ride out the storm if you will.

But in general with a ddos sending massive amounts of traffic your way, your ISP needs to head off the traffic before it gets sent down your pipe.

bilal91

@johnpoz:

Not sure what you were reading but you are correct you can not stop a ddos with a firewall at the end point of the attack.. If they fill up your pipe does not matter what the firewall does with the packet, be it drop it or allow it. The pipe is full its too late.

Allow your pipe to have traffic flow means the traffic has to be stopped before it heads down your pipe.

If the type of attack was say using something on your end in an amplification sort of attack where they are sending you stuff and for whatever reason your answering it and causing massive upload, or for your server to be overloaded then sure fw at your end could be used to make sure those packets causing the amplification just get dropped and or not sent to your server. But if the attack is filling up your pipe on its way too you - there is nothing that can be done at your end other than getting a fatter pipe, or changing IP.

Now if your old fw was not able to handle the traffic even if not filling up your pipe, then sure a better firewall that can handle the traffic could allow you to ride out the storm if you will.

But in general with a ddos sending massive amounts of traffic your way, your ISP needs to head off the traffic before it gets sent down your pipe.

Its a 10gb attack i cant get that big bandwidth here. and as your question my server does not respond to those, just drops them

is there any way to block the attacks before it comes to my network without filling it?

in my case i have a fiber line connected through media converter and an Ethernet wire from media converter goes to switch from where all the servers get their public static ip, maybe some way to plug that main media converter Ethernet wire into firewall, but then what will be its wan ip? so confusing! There must be a way though, (ISP don't give a damn, all they do it null route my ip)

johnpoz

"is there any way to block the attacks before it comes to my network without filling it?"

Yes you need your ISP to do that.. Or you need to change your IP.. But most likely if deliberate attack they will figure out your IP changed and just start hitting your new one.

And NO there is nothing you can do if your pipe is full at your end..

You can look into a company like Radware.. They have some stuff that diverts the traffic to their cloud stuff if your pipe is being saturated. Sorry but there is just nothing you can do with a firewall to stop a FULL PIPE attack against you be it from 1 single IP on the internet or hundreds or thousands of them.. I your pipe is full its full.. Think of it as say a beer bong that is can deliver 1 beer in 30 seconds to you.. If someone wants to pour 12 beers a second into your bong – what are you going to do at your end? When its overflowing at the funnel at the top already??

If they are pouring beer into the bong on the 2nd floor of the dorm so fast its overflowing the funnel and you just have it pouring onto the ground at this point, other than having them poor the beer slower (isp) what can you do.

bilal91

@johnpoz:

"is there any way to block the attacks before it comes to my network without filling it?"

Yes you need your ISP to do that.. Or you need to change your IP.. But most likely if deliberate attack they will figure out your IP changed and just start hitting your new one.

And NO there is nothing you can do if your pipe is full at your end..

You can look into a company like Radware.. They have some stuff that diverts the traffic to their cloud stuff if your pipe is being saturated. Sorry but there is just nothing you can do with a firewall to stop a FULL PIPE attack against you be it from 1 single IP on the internet or hundreds or thousands of them.. I your pipe is full its full.. Think of it as say a beer bong that is can deliver 1 beer in 30 seconds to you.. If someone wants to pour 12 beers a second into your bong – what are you going to do at your end? When its overflowing at the funnel at the top already??

If they are pouring beer into the bong on the 2nd floor of the dorm so fast its overflowing the funnel and you just have it pouring onto the ground at this point, other than having them poor the beer slower (isp) what can you do.

Thank you for the detailed answer :)

Its a 10gb attack i cant get that big bandwidth here. and as your question my server does not respond to those, just drops them

And if you will get 10 GBit/s at the WAN and they attack you with 300 GBit/s you will loose again!

is there any way to block the attacks before it comes to my network without filling it?

Your ISP or your hoster would be setting up a device or service in front of your IP address.

in my case i have a fiber line connected through media converter and an Ethernet wire from media converter goes to switch from where all the servers get their public static ip,

Without SPI/NAT or Firewall and rules you are attaching servers to the Internet???

maybe some way to plug that main media converter Ethernet wire into firewall,

Would be a more secure solution as before you goes.

but then what will be its wan ip? so confusing!

The one you enter in the WAN menu.

There must be a way though, (ISP don't give a damn, all they do it null route my ip)

Perhaps he can´t do anything? There are some devices that can be placed in front of your business
Internet connection but they are often very expensive and there are also some services that can be
hired or rent to take the DDoS load from the line but also mostly very expensive.

The Corero IPS 5500 ES-Series would be one of this devices you could try to place in front of your
firewall and then you would be back in game. Corero SmartWall

Corero is using hardware from Tilera, based on so called many Core CPUs and this is purely not cheap.

johnpoz

And does not matter if you put a Super Computer box at the end of the pipe that can simulate the weather of the Planet for 100 years in 10 microseconds.. If the pipe is full the pipe is full! Sorry end of story.. As you mentioned there are services to direct your traffic through them, they filter it on very LARGE PIPES so the small pipe to you is clear and only non ddos traffic goes down it..

Sorry there is no magic box you put at your location that stops a ddos from filling up your pipe to the internet. If that pipe is full it is FULL, the only fix is to stop the traffic before it gets to your pipe. That is done at the ISP layer.

And does not matter if you put a Super Computer box at the end of the pipe that can simulate the weather of the Planet for 100 years in 10 microseconds..

In the front or in the middle nut no one was talking about the end!
The SmartWall series is more tended to enterprise and pro clients, from 1 GBit/s - 10 GBit/s, ~40 GBit/s
and up to 160 GBit/s. And the Corero IPS 5500 ES-Series would be more for really big companies or
ISPs that can be setting up the box then between his clients and the Internet.

If the pipe is full the pipe is full! Sorry end of story..

The pipe will not be able to be filled, because the device is acting as a filter in front of your network either installed on the ISP side or yours!
ISP side:
Internet –- ISP --- Corero IPS --- Client --- his firewall ---- his servers
Client side:
Internet --- ISP --- Client --- Corero SmartWall --- his firewall --- his servers

As you mentioned there are services to direct your traffic through them, they filter it on very
LARGE PIPES so the small pipe to you is clear and only non ddos traffic goes down it..

This is right so we are talking about three versions now!

Your ISP is placing such a device before the traffic is coming through his network to yours
You place such a device in front of your network (your firewall) to filter it
You or your ISP is able to rent such a service from somebody who is offering this.
But the services mostly are for much more GBit/s traffic then this devices are able to handle.
Perhaps we are talking then about >300 GBit/s of those attack traffic.

Sorry there is no magic box you put at your location that stops a ddos from filling up your pipe to the internet.

Why sorry? You trust this box or not! And here are two of them.
Corero SmartWall
Corero IPS 5500 ES-Series

If that pipe is full it is FULL, the only fix is to stop the traffic before it gets to your pipe. That is done at the ISP layer.

What prevents you from the installing of a device in front of your pfSense or plain firewall?
So yes, when your ISP is offering such a service and is willing to set up on his side such devices
for his clients for sure it could be done, but if not you are also able to set up a "box" in front of
your pfSense if you have the money or your ISP is not willing to do so.

Nullity

Once traffic has saturated a clients pipe, there is nothing the client can do. You cannot unsend traffic. The ISP must intervene upstream.

NOYB

@bilal91:

I have a very sensitive business which needs 100% up time,

Then, as mentioned by others, you probably need to hire a service to filter your traffic before it comes down the pipe from ISP to you. Or if the ISP has the capability, get them to filter your traffic instead of just null routing.

I'm curious. Do you have any inclination at all of who or the motive that is behind the attack? Competitor, someone doesn't like you, disgruntled customer or employee, extortion, etc.?

johnpoz

"n the front or in the middle nut no one was talking about the end!"

Yeah dude we are talking about the END.. This poster can not put devices at his ISP connection… Read what the OP is asking.. Sorry there is NO box you can put at the end of the pipe to stop the pipe from being full..

There is no magic.. If ISP sends you traffic that fills your pipe is FULL there is nothing your end can do about it.. No magic box to fix it.. Be it pfsense firewall, or some 1 Million Dollar super firewall.. Now what you can do is have a box on your end that detects the ddos and adjust routes upstream, etc. Look into radware I mentioned.

Why don't you read a bit about that smartwall your touting and where it gets placed.. It sure and the F is not placed at the end of the pipe.. Those devices are for host providers, ISPs or LARGE enterprises to put in their cores.. They are not something a end user small company buys that they place at their location.

So a used or refurbished device that was announced for sale I´ve seen, was not $2.500 which could
be a fair price to get rid of this DDoS attacks also for smaller but very busy companies as I thought it
would be a really good deal. ::)

Real world Prices:

Corero IPS 5500 ES-Series is starting at ~$25.000,00 :-[
Corero SmartWall middle till large devices (40 GBit/s) is starting at ~$250.000,00 :-[

Ok this devices would be doing the job, but only for Enterprise companies and middle or larger ISPs. ::)
For sure you were right johnpoz.

Also the A10 Thunder TPS Series is starting at ~$195.449,00 so preventing from DDoS would be
a super game but only for big players as i see it right. And trust me this boxes must be working!
Akamai.net was spending nearly ~$370.000.000,00 for hardware and equipment to handle proper
those DDoS attacks.

Nullity

@johnpoz:

…
There is no magic..
...

lol

Those damn "DDoS defenderers" … what do they do, aside from being exclusive and expensive? Do thsy employ quantum entanglement or Cat7 Mobius cables?

hda

Nah not CAT-7 QE Mob quality, they cooperate for a business model ;) Akamai's costs will be billed to layer-8.

johnpoz

What I would like to know is what the OP was reading that pointed him to pfsense mitigating attacks?

"i found online to go with pfSense, i saw many people mitigating attacks with it too"

There are lots of threads here asking the same thing - and they always get the same answer, you can not stop a DDOS with a firewall.. So either he was not reading the full thread/article or misread the information?

If the OP business is so critical and of nature that ddos is of concern, they need to host services out of location that you can protect against it, not at your location at the end of a fiber connection provided by an ISP that doesn't provide any sort of ddos mitigation services. And from the sounds of it - not even a firewall??

This is the scary part
"maybe some way to plug that main media converter Ethernet wire into firewall, but then what will be its wan ip? so confusing!"

How is this guy running a company based upon providing services connected to the internet?? I just don't get it…

Gertjan

Running a "very sensitive business" from 'home' ??
I don't know what 'sensitive' is, but I would run any serious (critical) business from a serious server, placed on a 'serious' spot, like a good data center.
If you use a good host, think about putting another serious 'tool' in front of it, like CloudFare (just to name one).

I know my 'hosting company' eats 500 Gbits DDOS like cake so I never needed 'ClouldFare', or comparable, services.
Putting yourself behind ONE incoming without protection upfront just offers you one solution : they null-route you to protect their own (== ISP) network.

Harvy66

Well should all know that any attack that consumes all of your bandwidth is impossible to stop at the edge, so lets rephrase the question to something useful and remove bandwidth from the equation. If one had an infinite amount of bandwidth, how well would PFSense hold up to a DDOS?

Gertjan

@Harvy66:

…. If one had an infinite amount of bandwidth, how well would PFSense hold up to a DDOS?

Using this one or this one ? ;)
I guess the question will narrow down about how FreeBSD 10.x acts when DDOSed.
The firewall pf being used is the one present in the native FreeBSD (probably with some advancements, thought).

I understand your question, but you will probably find a final answer like "the role of a a router / firewall device in front of a LAN" isn't 'eating ddos'.

Harvy66

In theory the limiting factor should be PPS. FreeBSD and PFSense both have some ambitious goals to allow line rate 40Gb stateful packet filtering, and even beyond. If you don't have the bandwidth, then you absolutely have to have a 3rd party service.

NOYB

@Gertjan:

Running a "very sensitive business" from 'home' ??

Didn't see where the OPer said anything about running business from home. Did I miss that?