I am sorry to hear of the distributed responsibilities for the network, and that only makes your job harder.

Any possibility of using a protocol analyzer (Wireshark) to see what is going out and where it is going? If you have managed switches with port mirroring capabilities, you can strategically place the protocol analyzer to see what kind of traffic (i.e. - services) is leaving your network, and also see what kind of traffic is coming in.

I don't think pfSense has live logs (I am still fairly new to this product), but I have used other firewall products that do have this feature. The live logs have been very useful in determining what IP addresses are being contacted, what services are being requested, and who is attempting to do reconnaissance (port scanning) on your network from outside. Other than that, you will need to analyze the existing logs - not a task I ever look forward to. This is also one reason I like protocol analyzers, but for some reason, most IT departments won't spend the time to learn them and use them.

At some point, you may need to consider hardware. It is possible that the WAN interface is defective and just shuts down under moderate to heavy traffic.Have you been able to assess the packets/second hitting your WAN on this interface during the attacks? There are many on the forums who maintain that Intel and Broadcom NICs are robust and perform best in pfSense, and that Realtek NICs are problematic at best. I cannot confirm those opinions and just don't have the setup to make a definitive test. I use Realtek NICs in my firewalls, but my office is unlikely to see the variety and utilization that your networks do.

On 12/10/2015 12:14 PM, Joshua Young wrote:
At this point, I do not believe there are any services open for students to
access servers remotely.  But we are reviewing all of our rules.  We
actually started this process before the DDoS attacks started but they have
heightened our awareness of the need to do so.

It is configured to not respond to ICMP.

We have considered the possibility of an infected machine on that network.
We have updated and scanned all Windows computers on that network (which
aren't that many as we are a mostly Mac environment).  We encourage
students and staff to keep their devices updated.

One of the issues here that we were well aware of prior to this is the fact
that the High School wireless network, which is the one that keeps getting
targeted, is wide open.  We're in a different situation here with the setup
- we are what's known as an AOS (Alternative Organizational Structure).
This was in response to a law passed in our state a few years ago requiring
consolidation of school districts.  I'm the Technology Coordinator, which
means I am over all IT in the AOS.  But, each school is actually it's own
district with it's own tech staff - we share certain resources (like a
Superintendent and other Central Office staff) but there is a lot of local
control at the school level, so much so that some things I can only make
recommendations on and I cannot dictate what happens.  It's very confusing
and is really a ridiculous setup.  But it is what I have to work with.

The WAN is in my purview, as is the core LAN in each school.  But the
wireless network is actually the responsibility of the school and they
therefore have the final say on what happens with it.  The school tech
staff make the decisions regarding the wireless networks - this is one of
the areas that I can only make recommendations.  Like I said - very
confusing and it gets quite frustrating!

My Network Admin and I keep recommending to the High School that they
secure their network but they were steadfastly refusing - until now.  Now
they actually think it's a good idea (go figure).  That may or may not have
contributed to this spate of attacks but it certainly will help in the
future.

On Thu, Dec 10, 2015 at 3:11 AM, Robert Obrinsky <robrin...@roillc.com>
wrote:

Are there any services open on that interface so that students can access
servers from remote sites? Does your public address respond to ICMP? Is it
possible that some of your students' computers/devices are members of a
botnet and reporting back to a command and control server? Have you or
someone you have hired conducted a penetration test of your public
addresses? It seems too convenient that you are continually being
rediscovered. How long before the new public address gets attacked?

As far as outbound traffic is concerned, are there any protocols that are
restricted, or is anything allowed out? I have seen hedge funds that were
very serious about security where they only allowed their staff to access
certain services from specific workstations. Granted, they almost certainly
had fewer employees than you have students, but the idea is that they only
allowed outbound services that were necessary for their business, and even
then restricted those services to the individuals who required them. I am
certain that the challenges of a high school population are much more
difficult to control.

Bob


On 12/9/2015 12:32 PM, Joshua Young wrote:

We have been working with our ISP but I'm looking for something we might
be
able to do here.  I don't think there is a service that is being attacked.
It's always the same interface - it's the public NAT IP for our High
School
wireless network.  We change the public IP address and the problem goes
away - until the new one is discovered.  We have cycled through I think 6
IP addresses now that are available to us from at least two different
ranges.  We have not re-used any addresses - most of the addresses that
were targeted are currently disabled by our ISP.

On Tue, Dec 8, 2015 at 10:05 AM, WebDawg <webd...@gmail.com> wrote:

On Mon, Dec 7, 2015 at 10:40 AM, Joshua Young <joshua.yo...@mdirss.org>
wrote:

We have recently been the target of DDoS attacks.  The same interface is
targeted each time.  Is there any way we can shut down this interface
automatically when this happens?  Is there a way to maybe set a
threshold
for traffic and, when it reaches that threshold, automatically shut the
interface down?  When this happens, the pfSense is overwhelmed and our
entire WAN loses Internet connectivity.  I figure if we can shut the one
interface that is being targeted down before the traffic gets to the

point

of saturating our bandwidth, then just that one network would be down
rather than our entire WAN.

--


---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

"The number one benefit of information technology is that it empowers
people to do what they want to do. It lets people be creative. It lets
people be productive. It lets people learn things they didn't think they
could learn before, and so in a sense it is all about potential."


                                - Steve Ballmer


---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Josh Young
Educational Technology Coordinator

*Mount Desert Island Regional School System - AOS 91*
1081 Eagle Lake Road, Mt. Desert, ME 04660
P.O. Box 60, Mt. Desert, ME 04660
Phone: (207) 288-5049 | Fax: (207) 288-5071
_______________________________________________


Can we have more details on the DDoS attack?  Are you sure their are
no other solutions then shutting it down?  Why would it freeze?  Is a
service hosted by pfSense being attacked?
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



--
Robert Obrinsky President Robert Obrinsky Industries, LLC 1908 SE 45th
Avenue Portland, OR 97215 Office 503.719.4387 Mobile 503.752.8489
http://www.roillc.com
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold




--
Robert Obrinsky President Robert Obrinsky Industries, LLC 1908 SE 45th Avenue Portland, OR 97215 Office 503.719.4387 Mobile 503.752.8489 http://www.roillc.com
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Reply via email to