Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DOS - Internet Connection Lost

    Scheduled Pinned Locked Moved Firewalling
    14 Posts 4 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bartounet
      last edited by

      Hello.
      since few day, i lost regulary my internet connection.

      I notice that during this lost, my pfsense increase load
      The load is about filter.log
      Always the same address IP 62.210.109.6 with UDP Attack

      I'm pretty sure it's a DOS Attack because during the problem i have a lot of filter log
      logs are following:

      Apr 30 23:40:28 WAN Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List x.x.x.x:42207 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic MY_ip:80 UDP
      block/1000000103
      Apr 30 23:40:28 WAN Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List x.x.x.x:42207 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic MY_ip:80 UDP
      block/1000000103
      Apr 30 23:40:28 WAN Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List x.x.x.x:42207 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic MY_ip:80 UDP
      block/1000000103

      I don't understand how block requests can overload my pfsense and down my internet connection ?

      Could you explain me that ?
      Only On IP can saturate my connection ??? whith block packets ???  i have no services behind this udp resquests

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        "I don't understand how block requests can overload my pfsense and down my internet connection ?"

        So you don't understand how filling up your pipe with traffic you do not want blocks internet??

        So your log is full of 1000's of these blocks in a second.. Or what?  A few bad packets does not a DOS make…

        You sure its not just p2p traffic on something you were running on port 80?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • B
          bartounet
          last edited by

          No it is not peer to peer.
          When i have the probleme pfsense overload and there is many block udp filter at the same time

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            When you're blocking and logging a huge number of connections, it puts a significant strain on the system. But the reason your Internet stops working is almost certainly because your connection is completely full of garbage traffic, not because of the high load. Add a rule on WAN to block and not log UDP traffic and it'll significantly reduce load on the system when flooded with traffic. But your Internet connection will still be full, and there's nothing you can do about that on your side. By the time the traffic reaches you, it's too late, it's already consumed all your bandwidth.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              " overload and there is many block udp filter at the same time"

              What do you consider many???  A DOS would be 1000''s in the same second..  Not a handful…

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by

                @johnpoz:

                What do you consider many???  A DOS would be 1000''s in the same second..  Not a handful…

                True, I'm assuming thousands per second or more.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  Its always the same thing… oh my gawd I am getting DDOS'd when there is like 3 unknown things in their log in the last minute...

                  He posted 3 items... If it was like 3000 then maybe there might be something to the problem...  300 maybe lets look at it..

                  Oh my gawd this guy is attacking me...  What should I do??

                  Hey have a internet issue, they see something in the log and the sky is falling this guy is attacking me.. When most likely with udp to 80 its just some p2p noise because his public IP use to be in a swarm..  I don't even log udp traffic to my wan, because its NOISE...  There is quite a bit of it..

                  under_attack.png
                  under_attack.png_thumb

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • H
                    Harvy66
                    last edited by

                    I disabled default logging because

                    1. Signal to noise was crap because there's contantly scanning botnets
                    2. when doing a DOS attack test, logging was eating up a ton of CPU, which makes perfect sense. Doing a filesystem IO operation every time a packet comes in is going to hose my CPU

                    How many packets per second are being talked about? How large are they? The linked image is like 3 packets in a minute.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      dude I was making a joke.. No shit that image is not an attack…

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • B
                        bartounet
                        last edited by

                        Hello
                        You are very moquing johnpoz
                        If i take time to post it is because i have search before

                        I am victim to ddos since friday
                        I have logs if you are interested…
                        I speek about 500 to 1000 udp packets per second with a lot of different ip
                        It is a ddos

                        I have opened ticket to my isp

                        You think i can limit load ?

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          "1000 udp packets per second"

                          How about you post that in your OP next time…

                          You can not stop DDOS with a firewall.. it has to be upstream.. If they are filling up your pipe they are filling up your pipe, what your firewall does at the end of that pipe is completely moot.. If you want to lower the cpu pfsense does by logging the packets.. sure turn off logging..

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • B
                            bartounet
                            last edited by

                            A little example

                            http://pastebin.com/vhxDyP3p

                            1 Reply Last reply Reply Quote 0
                            • C
                              cmb
                              last edited by

                              If you block and don't log that traffic, you'll reduce the load on your firewall. But that won't actually help anything because it doesn't prevent your bandwidth from being fully consumed, which is why your connection is unusable.

                              1 Reply Last reply Reply Quote 0
                              • H
                                Harvy66
                                last edited by

                                If your driveway is full, turning off your doorbell won't stop the issue of not being able to use your driveway, but it will make it quieter in your house. If PFSense is responding fine, then your issue is your connection is flooded. The only way to protect against a volumetric attack is to have enough bandwidth.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.