On Fri, Dec 11, 2015 at 9:03 AM, Robert Obrinsky <robrin...@roillc.com> wrote: > I am sorry to hear of the distributed responsibilities for the network, and > that only makes your job harder. > > Any possibility of using a protocol analyzer (Wireshark) to see what is > going out and where it is going? If you have managed switches with port > mirroring capabilities, you can strategically place the protocol analyzer to > see what kind of traffic (i.e. - services) is leaving your network, and also > see what kind of traffic is coming in. > > I don't think pfSense has live logs (I am still fairly new to this product), > but I have used other firewall products that do have this feature. The live > logs have been very useful in determining what IP addresses are being > contacted, what services are being requested, and who is attempting to do > reconnaissance (port scanning) on your network from outside. Other than > that, you will need to analyze the existing logs - not a task I ever look > forward to. This is also one reason I like protocol analyzers, but for some > reason, most IT departments won't spend the time to learn them and use them. > > At some point, you may need to consider hardware. It is possible that the > WAN interface is defective and just shuts down under moderate to heavy > traffic.Have you been able to assess the packets/second hitting your WAN on > this interface during the attacks? There are many on the forums who maintain > that Intel and Broadcom NICs are robust and perform best in pfSense, and > that Realtek NICs are problematic at best. I cannot confirm those opinions > and just don't have the setup to make a definitive test. I use Realtek NICs > in my firewalls, but my office is unlikely to see the variety and > utilization that your networks do. > >
pfSense can do tcpdumps on any interface. I get that ddos attacks are meant to shut a WAN connection down, my biggest thing about this issue was that the firewall was freezing. Is not that one of the parts about getting the correct hardware and configuring a firewall correctly? I would go with the cronjob suggestion that was posted a while back if you are looking to shutdown the interface overall. I think it is a good idea to check what is doing it though (causing the freeze), it is nothing to get some bandwidth anymore to do these attacks and while your WAN connection will not work, a firewall should not freeze. It makes me want to ddos my own boxes. Wireshark is just the tip of the iceburg anymore, they have entire web based suites that are dedicated to protocol inspection. Even live stuff. In your firewall rule sets, are you droping or rejecting? I only reject when I know systems need that reject back. Like when some software waits and waits and waits for a timeout because the automatic update for specific software cannot connect to home. Even then, this is on the LAN side. This is just basic stuff. It sounds like you have a nice pipe coming into your pfSense box. It would help this list if you could say what type of attack it is, and what traffic they are sending your way. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
