DOS - Internet Connection Lost



  • Hello.
    since few day, i lost regulary my internet connection.

    I notice that during this lost, my pfsense increase load
    The load is about filter.log
    Always the same address IP 62.210.109.6 with UDP Attack

    I'm pretty sure it's a DOS Attack because during the problem i have a lot of filter log
    logs are following:

    Apr 30 23:40:28 WAN Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List x.x.x.x:42207 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic MY_ip:80 UDP
    block/1000000103
    Apr 30 23:40:28 WAN Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List x.x.x.x:42207 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic MY_ip:80 UDP
    block/1000000103
    Apr 30 23:40:28 WAN Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List x.x.x.x:42207 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic MY_ip:80 UDP
    block/1000000103

    I don't understand how block requests can overload my pfsense and down my internet connection ?

    Could you explain me that ?
    Only On IP can saturate my connection ??? whith block packets ???  i have no services behind this udp resquests


  • LAYER 8 Global Moderator

    "I don't understand how block requests can overload my pfsense and down my internet connection ?"

    So you don't understand how filling up your pipe with traffic you do not want blocks internet??

    So your log is full of 1000's of these blocks in a second.. Or what?  A few bad packets does not a DOS make…

    You sure its not just p2p traffic on something you were running on port 80?



  • No it is not peer to peer.
    When i have the probleme pfsense overload and there is many block udp filter at the same time



  • When you're blocking and logging a huge number of connections, it puts a significant strain on the system. But the reason your Internet stops working is almost certainly because your connection is completely full of garbage traffic, not because of the high load. Add a rule on WAN to block and not log UDP traffic and it'll significantly reduce load on the system when flooded with traffic. But your Internet connection will still be full, and there's nothing you can do about that on your side. By the time the traffic reaches you, it's too late, it's already consumed all your bandwidth.


  • LAYER 8 Global Moderator

    " overload and there is many block udp filter at the same time"

    What do you consider many???  A DOS would be 1000''s in the same second..  Not a handful…



  • @johnpoz:

    What do you consider many???  A DOS would be 1000''s in the same second..  Not a handful…

    True, I'm assuming thousands per second or more.


  • LAYER 8 Global Moderator

    Its always the same thing… oh my gawd I am getting DDOS'd when there is like 3 unknown things in their log in the last minute...

    He posted 3 items... If it was like 3000 then maybe there might be something to the problem...  300 maybe lets look at it..

    Oh my gawd this guy is attacking me...  What should I do??

    Hey have a internet issue, they see something in the log and the sky is falling this guy is attacking me.. When most likely with udp to 80 its just some p2p noise because his public IP use to be in a swarm..  I don't even log udp traffic to my wan, because its NOISE...  There is quite a bit of it..




  • I disabled default logging because

    1. Signal to noise was crap because there's contantly scanning botnets
    2. when doing a DOS attack test, logging was eating up a ton of CPU, which makes perfect sense. Doing a filesystem IO operation every time a packet comes in is going to hose my CPU

    How many packets per second are being talked about? How large are they? The linked image is like 3 packets in a minute.


  • LAYER 8 Global Moderator

    dude I was making a joke.. No shit that image is not an attack…



  • Hello
    You are very moquing johnpoz
    If i take time to post it is because i have search before

    I am victim to ddos since friday
    I have logs if you are interested…
    I speek about 500 to 1000 udp packets per second with a lot of different ip
    It is a ddos

    I have opened ticket to my isp

    You think i can limit load ?


  • LAYER 8 Global Moderator

    "1000 udp packets per second"

    How about you post that in your OP next time…

    You can not stop DDOS with a firewall.. it has to be upstream.. If they are filling up your pipe they are filling up your pipe, what your firewall does at the end of that pipe is completely moot.. If you want to lower the cpu pfsense does by logging the packets.. sure turn off logging..



  • A little example

    http://pastebin.com/vhxDyP3p



  • If you block and don't log that traffic, you'll reduce the load on your firewall. But that won't actually help anything because it doesn't prevent your bandwidth from being fully consumed, which is why your connection is unusable.



  • If your driveway is full, turning off your doorbell won't stop the issue of not being able to use your driveway, but it will make it quieter in your house. If PFSense is responding fine, then your issue is your connection is flooded. The only way to protect against a volumetric attack is to have enough bandwidth.


Log in to reply