DOS - Internet Connection Lost

bartounet

Hello.
since few day, i lost regulary my internet connection.

I notice that during this lost, my pfsense increase load
The load is about filter.log
Always the same address IP 62.210.109.6 with UDP Attack

I'm pretty sure it's a DOS Attack because during the problem i have a lot of filter log
logs are following:

Apr 30 23:40:28 WAN Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List x.x.x.x:42207 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic MY_ip:80 UDP
block/1000000103
Apr 30 23:40:28 WAN Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List x.x.x.x:42207 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic MY_ip:80 UDP
block/1000000103
Apr 30 23:40:28 WAN Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List x.x.x.x:42207 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic MY_ip:80 UDP
block/1000000103

I don't understand how block requests can overload my pfsense and down my internet connection ?

Could you explain me that ?
Only On IP can saturate my connection ??? whith block packets ??? i have no services behind this udp resquests

johnpoz

"I don't understand how block requests can overload my pfsense and down my internet connection ?"

So you don't understand how filling up your pipe with traffic you do not want blocks internet??

So your log is full of 1000's of these blocks in a second.. Or what? A few bad packets does not a DOS make…

You sure its not just p2p traffic on something you were running on port 80?

bartounet

No it is not peer to peer.
When i have the probleme pfsense overload and there is many block udp filter at the same time

cmb

When you're blocking and logging a huge number of connections, it puts a significant strain on the system. But the reason your Internet stops working is almost certainly because your connection is completely full of garbage traffic, not because of the high load. Add a rule on WAN to block and not log UDP traffic and it'll significantly reduce load on the system when flooded with traffic. But your Internet connection will still be full, and there's nothing you can do about that on your side. By the time the traffic reaches you, it's too late, it's already consumed all your bandwidth.

johnpoz

" overload and there is many block udp filter at the same time"

What do you consider many??? A DOS would be 1000''s in the same second.. Not a handful…

cmb

@johnpoz:

What do you consider many??? A DOS would be 1000''s in the same second.. Not a handful…

True, I'm assuming thousands per second or more.

johnpoz

Its always the same thing… oh my gawd I am getting DDOS'd when there is like 3 unknown things in their log in the last minute...

He posted 3 items... If it was like 3000 then maybe there might be something to the problem... 300 maybe lets look at it..

Oh my gawd this guy is attacking me... What should I do??

Hey have a internet issue, they see something in the log and the sky is falling this guy is attacking me.. When most likely with udp to 80 its just some p2p noise because his public IP use to be in a swarm.. I don't even log udp traffic to my wan, because its NOISE... There is quite a bit of it..

under_attack.png_thumb

Harvy66

I disabled default logging because

Signal to noise was crap because there's contantly scanning botnets
when doing a DOS attack test, logging was eating up a ton of CPU, which makes perfect sense. Doing a filesystem IO operation every time a packet comes in is going to hose my CPU

How many packets per second are being talked about? How large are they? ~~The linked image is like 3 packets in a minute.~~

johnpoz

dude I was making a joke.. No shit that image is not an attack…

bartounet

Hello
You are very moquing johnpoz
If i take time to post it is because i have search before

I am victim to ddos since friday
I have logs if you are interested…
I speek about 500 to 1000 udp packets per second with a lot of different ip
It is a ddos

I have opened ticket to my isp

You think i can limit load ?

johnpoz

"1000 udp packets per second"

How about you post that in your OP next time…

You can not stop DDOS with a firewall.. it has to be upstream.. If they are filling up your pipe they are filling up your pipe, what your firewall does at the end of that pipe is completely moot.. If you want to lower the cpu pfsense does by logging the packets.. sure turn off logging..

bartounet

A little example

http://pastebin.com/vhxDyP3p

cmb

If you block and don't log that traffic, you'll reduce the load on your firewall. But that won't actually help anything because it doesn't prevent your bandwidth from being fully consumed, which is why your connection is unusable.

Harvy66

If your driveway is full, turning off your doorbell won't stop the issue of not being able to use your driveway, but it will make it quieter in your house. If PFSense is responding fine, then your issue is your connection is flooded. The only way to protect against a volumetric attack is to have enough bandwidth.