subject:"Re\: \[pfSense\] Shutdown Interface\?"

Re: [pfSense] Shutdown Interface?

2015-12-13 Thread pfsense

Not at All Doug I just do not see the need for Strawberry's either and I hope 
there is a deep frost soon.

Robert

> On Dec 11, 2015, at 3:33 PM, Doug Lytle  wrote:
> 
> It would appear you're just interested in being confrontational.  I have you 
> have a nice day.
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Shutdown Interface?

2015-12-13 Thread WebDawg

On Fri, Dec 11, 2015 at 9:03 AM, Robert Obrinsky  wrote:
> I am sorry to hear of the distributed responsibilities for the network, and
> that only makes your job harder.
>
> Any possibility of using a protocol analyzer (Wireshark) to see what is
> going out and where it is going? If you have managed switches with port
> mirroring capabilities, you can strategically place the protocol analyzer to
> see what kind of traffic (i.e. - services) is leaving your network, and also
> see what kind of traffic is coming in.
>
> I don't think pfSense has live logs (I am still fairly new to this product),
> but I have used other firewall products that do have this feature. The live
> logs have been very useful in determining what IP addresses are being
> contacted, what services are being requested, and who is attempting to do
> reconnaissance (port scanning) on your network from outside. Other than
> that, you will need to analyze the existing logs - not a task I ever look
> forward to. This is also one reason I like protocol analyzers, but for some
> reason, most IT departments won't spend the time to learn them and use them.
>
> At some point, you may need to consider hardware. It is possible that the
> WAN interface is defective and just shuts down under moderate to heavy
> traffic.Have you been able to assess the packets/second hitting your WAN on
> this interface during the attacks? There are many on the forums who maintain
> that Intel and Broadcom NICs are robust and perform best in pfSense, and
> that Realtek NICs are problematic at best. I cannot confirm those opinions
> and just don't have the setup to make a definitive test. I use Realtek NICs
> in my firewalls, but my office is unlikely to see the variety and
> utilization that your networks do.
>
>

pfSense can do tcpdumps on any interface.  I get that ddos attacks are
meant to shut a WAN connection down, my biggest thing about this issue
was that the firewall was freezing.  Is not that one of the parts
about getting the correct hardware and configuring a firewall
correctly?

I would go with the cronjob suggestion that was posted a while back if
you are looking to shutdown the interface overall.  I think it is a
good idea to check what is doing it though (causing the freeze), it is
nothing to get some bandwidth anymore to do these attacks and while
your WAN connection will not work, a firewall should not freeze.

It makes me want to ddos my own boxes.

Wireshark is just the tip of the iceburg anymore, they have entire web
based suites that are dedicated to protocol inspection.  Even live
stuff.

In your firewall rule sets, are you droping or rejecting?  I only
reject when I know systems need that reject back.  Like when some
software waits and waits and waits for a timeout because the automatic
update for specific software cannot connect to home.  Even then, this
is on the LAN side.  This is just basic stuff.

It sounds like you have a nice pipe coming into your pfSense box.

It would help this list if you could say what type of attack it is,
and what traffic they are sending your way.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Shutdown Interface?

2015-12-13 Thread WebDawg

On Fri, Dec 11, 2015 at 3:33 PM, Doug Lytle  wrote:
> It would appear you're just interested in being confrontational.  I have you 
> have a nice day.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

You guys just need to relax.  I too hate the fact that everyone pushes
google on people now too.  This is a support list for pfSense stuff
and not your ideals though.  Everyone is entitled to post anything
they think would help.

Is not that the reason this list exists?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Shutdown Interface?

2015-12-12 Thread Doug Lytle

It would appear you're just interested in being confrontational.  I have you 
have a nice day.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Shutdown Interface?

2015-12-11 Thread Robert Obrinsky

I just checked my lab system and you can view live logs. 'Status 
-->System Logs'. Then choose the Firewall tab and Dynamic View tab.


On 12/10/2015 12:14 PM, Joshua Young wrote:

At this point, I do not believe there are any services open for students to
access servers remotely.  But we are reviewing all of our rules.  We
actually started this process before the DDoS attacks started but they have
heightened our awareness of the need to do so.

It is configured to not respond to ICMP.

We have considered the possibility of an infected machine on that network.
We have updated and scanned all Windows computers on that network (which
aren't that many as we are a mostly Mac environment).  We encourage
students and staff to keep their devices updated.

One of the issues here that we were well aware of prior to this is the fact
that the High School wireless network, which is the one that keeps getting
targeted, is wide open.  We're in a different situation here with the setup
- we are what's known as an AOS (Alternative Organizational Structure).
This was in response to a law passed in our state a few years ago requiring
consolidation of school districts.  I'm the Technology Coordinator, which
means I am over all IT in the AOS.  But, each school is actually it's own
district with it's own tech staff - we share certain resources (like a
Superintendent and other Central Office staff) but there is a lot of local
control at the school level, so much so that some things I can only make
recommendations on and I cannot dictate what happens.  It's very confusing
and is really a ridiculous setup.  But it is what I have to work with.

The WAN is in my purview, as is the core LAN in each school.  But the
wireless network is actually the responsibility of the school and they
therefore have the final say on what happens with it.  The school tech
staff make the decisions regarding the wireless networks - this is one of
the areas that I can only make recommendations.  Like I said - very
confusing and it gets quite frustrating!

My Network Admin and I keep recommending to the High School that they
secure their network but they were steadfastly refusing - until now.  Now
they actually think it's a good idea (go figure).  That may or may not have
contributed to this spate of attacks but it certainly will help in the
future.

On Thu, Dec 10, 2015 at 3:11 AM, Robert Obrinsky 
wrote:


Are there any services open on that interface so that students can access
servers from remote sites? Does your public address respond to ICMP? Is it
possible that some of your students' computers/devices are members of a
botnet and reporting back to a command and control server? Have you or
someone you have hired conducted a penetration test of your public
addresses? It seems too convenient that you are continually being
rediscovered. How long before the new public address gets attacked?

As far as outbound traffic is concerned, are there any protocols that are
restricted, or is anything allowed out? I have seen hedge funds that were
very serious about security where they only allowed their staff to access
certain services from specific workstations. Granted, they almost certainly
had fewer employees than you have students, but the idea is that they only
allowed outbound services that were necessary for their business, and even
then restricted those services to the individuals who required them. I am
certain that the challenges of a high school population are much more
difficult to control.

Bob


On 12/9/2015 12:32 PM, Joshua Young wrote:


We have been working with our ISP but I'm looking for something we might
be
able to do here.  I don't think there is a service that is being attacked.
It's always the same interface - it's the public NAT IP for our High
School
wireless network.  We change the public IP address and the problem goes
away - until the new one is discovered.  We have cycled through I think 6
IP addresses now that are available to us from at least two different
ranges.  We have not re-used any addresses - most of the addresses that
were targeted are currently disabled by our ISP.

On Tue, Dec 8, 2015 at 10:05 AM, WebDawg  wrote:

On Mon, Dec 7, 2015 at 10:40 AM, Joshua Young 

wrote:


We have recently been the target of DDoS attacks.  The same interface is
targeted each time.  Is there any way we can shut down this interface
automatically when this happens?  Is there a way to maybe set a
threshold
for traffic and, when it reaches that threshold, automatically shut the
interface down?  When this happens, the pfSense is overwhelmed and our
entire WAN loses Internet connectivity.  I figure if we can shut the one
interface that is being targeted down before the traffic gets to the


point


of saturating our bandwidth, then just that one network would be down
rather than our entire WAN.

--



---

Re: [pfSense] Shutdown Interface?

2015-12-11 Thread Robert Obrinsky

I am sorry to hear of the distributed responsibilities for the network, 
and that only makes your job harder.


Any possibility of using a protocol analyzer (Wireshark) to see what is 
going out and where it is going? If you have managed switches with port 
mirroring capabilities, you can strategically place the protocol 
analyzer to see what kind of traffic (i.e. - services) is leaving your 
network, and also see what kind of traffic is coming in.


I don't think pfSense has live logs (I am still fairly new to this 
product), but I have used other firewall products that do have this 
feature. The live logs have been very useful in determining what IP 
addresses are being contacted, what services are being requested, and 
who is attempting to do reconnaissance (port scanning) on your network 
from outside. Other than that, you will need to analyze the existing 
logs - not a task I ever look forward to. This is also one reason I like 
protocol analyzers, but for some reason, most IT departments won't spend 
the time to learn them and use them.


At some point, you may need to consider hardware. It is possible that 
the WAN interface is defective and just shuts down under moderate to 
heavy traffic.Have you been able to assess the packets/second hitting 
your WAN on this interface during the attacks? There are many on the 
forums who maintain that Intel and Broadcom NICs are robust and perform 
best in pfSense, and that Realtek NICs are problematic at best. I cannot 
confirm those opinions and just don't have the setup to make a 
definitive test. I use Realtek NICs in my firewalls, but my office is 
unlikely to see the variety and utilization that your networks do.


On 12/10/2015 12:14 PM, Joshua Young wrote:

At this point, I do not believe there are any services open for students to
access servers remotely.  But we are reviewing all of our rules.  We
actually started this process before the DDoS attacks started but they have
heightened our awareness of the need to do so.

It is configured to not respond to ICMP.

We have considered the possibility of an infected machine on that network.
We have updated and scanned all Windows computers on that network (which
aren't that many as we are a mostly Mac environment).  We encourage
students and staff to keep their devices updated.

One of the issues here that we were well aware of prior to this is the fact
that the High School wireless network, which is the one that keeps getting
targeted, is wide open.  We're in a different situation here with the setup
- we are what's known as an AOS (Alternative Organizational Structure).
This was in response to a law passed in our state a few years ago requiring
consolidation of school districts.  I'm the Technology Coordinator, which
means I am over all IT in the AOS.  But, each school is actually it's own
district with it's own tech staff - we share certain resources (like a
Superintendent and other Central Office staff) but there is a lot of local
control at the school level, so much so that some things I can only make
recommendations on and I cannot dictate what happens.  It's very confusing
and is really a ridiculous setup.  But it is what I have to work with.

The WAN is in my purview, as is the core LAN in each school.  But the
wireless network is actually the responsibility of the school and they
therefore have the final say on what happens with it.  The school tech
staff make the decisions regarding the wireless networks - this is one of
the areas that I can only make recommendations.  Like I said - very
confusing and it gets quite frustrating!

My Network Admin and I keep recommending to the High School that they
secure their network but they were steadfastly refusing - until now.  Now
they actually think it's a good idea (go figure).  That may or may not have
contributed to this spate of attacks but it certainly will help in the
future.

On Thu, Dec 10, 2015 at 3:11 AM, Robert Obrinsky 
wrote:


Are there any services open on that interface so that students can access
servers from remote sites? Does your public address respond to ICMP? Is it
possible that some of your students' computers/devices are members of a
botnet and reporting back to a command and control server? Have you or
someone you have hired conducted a penetration test of your public
addresses? It seems too convenient that you are continually being
rediscovered. How long before the new public address gets attacked?

As far as outbound traffic is concerned, are there any protocols that are
restricted, or is anything allowed out? I have seen hedge funds that were
very serious about security where they only allowed their staff to access
certain services from specific workstations. Granted, they almost certainly
had fewer employees than you have students, but the idea is that they only
allowed outbound services that were necessary for their business, and even
then restricted those services to the individuals who required them. I am
certain that the chall

Re: [pfSense] Shutdown Interface?

2015-12-11 Thread pfsense

I will leave it alone at least you did try to help Thank You for that.

Robert

> On Dec 10, 2015, at 11:05 AM, Doug Lytle  wrote:
> 
> It's not always exactly what somebody wants that may be the best thing to do. 
>  Offering other options is what I was doing, I'm sorry you didn't approve.
> 
> Doug
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Shutdown Interface?

2015-12-11 Thread pfsense

Doug the fact that everyone assumes they know better or the person didn't check 
google or try to find what they needed somewhere else first is just ignorant.  
when a person actually finds the Pfsense Support list and actually joins the 
list and actually asks a question that you cannot find on google.  hmm maybe 
they need what there asking for not what you think they need. This is a private 
support forum with Pfsense users not a public forum web site people here usualy 
have checked and are asking here for a reason.

The fact that i need to explain it is sad. I mean in black in white.

Hay i have this problem and I need this blah.

I dont care I found this on google in two seconds I know it doesn't do what you 
want  but check it out any way it took me two seconds to find it.

ok does that make better sense for you. ? 

Robert

> On Dec 10, 2015, at 11:05 AM, Doug Lytle  wrote:
> 
> It's not always exactly what somebody wants that may be the best thing to do. 
>  Offering other options is what I was doing, I'm sorry you didn't approve.
> 
> Doug
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Shutdown Interface?

2015-12-11 Thread Joshua Young

At this point, I do not believe there are any services open for students to
access servers remotely.  But we are reviewing all of our rules.  We
actually started this process before the DDoS attacks started but they have
heightened our awareness of the need to do so.

It is configured to not respond to ICMP.

We have considered the possibility of an infected machine on that network.
We have updated and scanned all Windows computers on that network (which
aren't that many as we are a mostly Mac environment).  We encourage
students and staff to keep their devices updated.

One of the issues here that we were well aware of prior to this is the fact
that the High School wireless network, which is the one that keeps getting
targeted, is wide open.  We're in a different situation here with the setup
- we are what's known as an AOS (Alternative Organizational Structure).
This was in response to a law passed in our state a few years ago requiring
consolidation of school districts.  I'm the Technology Coordinator, which
means I am over all IT in the AOS.  But, each school is actually it's own
district with it's own tech staff - we share certain resources (like a
Superintendent and other Central Office staff) but there is a lot of local
control at the school level, so much so that some things I can only make
recommendations on and I cannot dictate what happens.  It's very confusing
and is really a ridiculous setup.  But it is what I have to work with.

The WAN is in my purview, as is the core LAN in each school.  But the
wireless network is actually the responsibility of the school and they
therefore have the final say on what happens with it.  The school tech
staff make the decisions regarding the wireless networks - this is one of
the areas that I can only make recommendations.  Like I said - very
confusing and it gets quite frustrating!

My Network Admin and I keep recommending to the High School that they
secure their network but they were steadfastly refusing - until now.  Now
they actually think it's a good idea (go figure).  That may or may not have
contributed to this spate of attacks but it certainly will help in the
future.

On Thu, Dec 10, 2015 at 3:11 AM, Robert Obrinsky 
wrote:

> Are there any services open on that interface so that students can access
> servers from remote sites? Does your public address respond to ICMP? Is it
> possible that some of your students' computers/devices are members of a
> botnet and reporting back to a command and control server? Have you or
> someone you have hired conducted a penetration test of your public
> addresses? It seems too convenient that you are continually being
> rediscovered. How long before the new public address gets attacked?
>
> As far as outbound traffic is concerned, are there any protocols that are
> restricted, or is anything allowed out? I have seen hedge funds that were
> very serious about security where they only allowed their staff to access
> certain services from specific workstations. Granted, they almost certainly
> had fewer employees than you have students, but the idea is that they only
> allowed outbound services that were necessary for their business, and even
> then restricted those services to the individuals who required them. I am
> certain that the challenges of a high school population are much more
> difficult to control.
>
> Bob
>
>
> On 12/9/2015 12:32 PM, Joshua Young wrote:
>
>> We have been working with our ISP but I'm looking for something we might
>> be
>> able to do here.  I don't think there is a service that is being attacked.
>> It's always the same interface - it's the public NAT IP for our High
>> School
>> wireless network.  We change the public IP address and the problem goes
>> away - until the new one is discovered.  We have cycled through I think 6
>> IP addresses now that are available to us from at least two different
>> ranges.  We have not re-used any addresses - most of the addresses that
>> were targeted are currently disabled by our ISP.
>>
>> On Tue, Dec 8, 2015 at 10:05 AM, WebDawg  wrote:
>>
>> On Mon, Dec 7, 2015 at 10:40 AM, Joshua Young 
>>> wrote:
>>>
 We have recently been the target of DDoS attacks.  The same interface is
 targeted each time.  Is there any way we can shut down this interface
 automatically when this happens?  Is there a way to maybe set a
 threshold
 for traffic and, when it reaches that threshold, automatically shut the
 interface down?  When this happens, the pfSense is overwhelmed and our
 entire WAN loses Internet connectivity.  I figure if we can shut the one
 interface that is being targeted down before the traffic gets to the

>>> point
>>>
 of saturating our bandwidth, then just that one network would be down
 rather than our entire WAN.

 --


>>> -

Re: [pfSense] Shutdown Interface?

2015-12-10 Thread Doug Lytle

It's not always exactly what somebody wants that may be the best thing to do.  
Offering other options is what I was doing, I'm sorry you didn't approve.

Doug
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Shutdown Interface?

2015-12-10 Thread pfsense

> can you get the ip address from the logs and whois them, that seems to soon 
> for a normal targeted dos attack. At desoto county here in Ms we had a 
> similar issue when windows 10 was rolling out and it ended up being microsoft 
> silently pushing the upgrades to all the window users on the network. double 
> check the logs see if someone has a microsoft update server running on your 
> network or some students set up a torrent server. 
> most of the attacks are random and when they get nothing back move on to 
> another ip or range to find you within a day or two something on the inside 
> is calling them or serving something or receiving something.
> 
> 
> Robert


> On Dec 9, 2015, at 2:32 PM, Joshua Young  wrote:
> 
> We have been working with our ISP but I'm looking for something we might be
> able to do here.  I don't think there is a service that is being attacked.
> It's always the same interface - it's the public NAT IP for our High School
> wireless network.  We change the public IP address and the problem goes
> away - until the new one is discovered.  We have cycled through I think 6
> IP addresses now that are available to us from at least two different
> ranges.  We have not re-used any addresses - most of the addresses that
> were targeted are currently disabled by our ISP.
> 
> On Tue, Dec 8, 2015 at 10:05 AM, WebDawg  wrote:
> 
>> On Mon, Dec 7, 2015 at 10:40 AM, Joshua Young 
>> wrote:
>>> We have recently been the target of DDoS attacks.  The same interface is
>>> targeted each time.  Is there any way we can shut down this interface
>>> automatically when this happens?  Is there a way to maybe set a threshold
>>> for traffic and, when it reaches that threshold, automatically shut the
>>> interface down?  When this happens, the pfSense is overwhelmed and our
>>> entire WAN loses Internet connectivity.  I figure if we can shut the one
>>> interface that is being targeted down before the traffic gets to the
>> point
>>> of saturating our bandwidth, then just that one network would be down
>>> rather than our entire WAN.
>>> 
>>> --
>>> 
>> -
>>> "The number one benefit of information technology is that it empowers
>>> people to do what they want to do. It lets people be creative. It lets
>>> people be productive. It lets people learn things they didn't think they
>>> could learn before, and so in a sense it is all about potential."
>>> 
>>> 
>>>  - Steve Ballmer
>>> 
>> -
>>> 
>>> Josh Young
>>> Educational Technology Coordinator
>>> 
>>> *Mount Desert Island Regional School System - AOS 91*
>>> 1081 Eagle Lake Road, Mt. Desert, ME 04660
>>> P.O. Box 60, Mt. Desert, ME 04660
>>> Phone: (207) 288-5049 | Fax: (207) 288-5071
>>> ___
>> 
>> 
>> 
>> Can we have more details on the DDoS attack?  Are you sure their are
>> no other solutions then shutting it down?  Why would it freeze?  Is a
>> service hosted by pfSense being attacked?
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> 
> 
> 
> 
> -- 
> -
> "The number one benefit of information technology is that it empowers
> people to do what they want to do. It lets people be creative. It lets
> people be productive. It lets people learn things they didn't think they
> could learn before, and so in a sense it is all about potential."
> 
> 
>  - Steve Ballmer
> -
> 
> Josh Young
> Educational Technology Coordinator
> 
> *Mount Desert Island Regional School System - AOS 91*
> 1081 Eagle Lake Road, Mt. Desert, ME 04660
> P.O. Box 60, Mt. Desert, ME 04660
> Phone: (207) 288-5049 | Fax: (207) 288-5071
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Shutdown Interface?

2015-12-10 Thread Robert Obrinsky

Are there any services open on that interface so that students can 
access servers from remote sites? Does your public address respond to 
ICMP? Is it possible that some of your students' computers/devices are 
members of a botnet and reporting back to a command and control server? 
Have you or someone you have hired conducted a penetration test of your 
public addresses? It seems too convenient that you are continually being 
rediscovered. How long before the new public address gets attacked?


As far as outbound traffic is concerned, are there any protocols that 
are restricted, or is anything allowed out? I have seen hedge funds that 
were very serious about security where they only allowed their staff to 
access certain services from specific workstations. Granted, they almost 
certainly had fewer employees than you have students, but the idea is 
that they only allowed outbound services that were necessary for their 
business, and even then restricted those services to the individuals who 
required them. I am certain that the challenges of a high school 
population are much more difficult to control.


Bob

On 12/9/2015 12:32 PM, Joshua Young wrote:

We have been working with our ISP but I'm looking for something we might be
able to do here.  I don't think there is a service that is being attacked.
It's always the same interface - it's the public NAT IP for our High School
wireless network.  We change the public IP address and the problem goes
away - until the new one is discovered.  We have cycled through I think 6
IP addresses now that are available to us from at least two different
ranges.  We have not re-used any addresses - most of the addresses that
were targeted are currently disabled by our ISP.

On Tue, Dec 8, 2015 at 10:05 AM, WebDawg  wrote:


On Mon, Dec 7, 2015 at 10:40 AM, Joshua Young 
wrote:

We have recently been the target of DDoS attacks.  The same interface is
targeted each time.  Is there any way we can shut down this interface
automatically when this happens?  Is there a way to maybe set a threshold
for traffic and, when it reaches that threshold, automatically shut the
interface down?  When this happens, the pfSense is overwhelmed and our
entire WAN loses Internet connectivity.  I figure if we can shut the one
interface that is being targeted down before the traffic gets to the

point

of saturating our bandwidth, then just that one network would be down
rather than our entire WAN.

--


-

"The number one benefit of information technology is that it empowers
people to do what they want to do. It lets people be creative. It lets
people be productive. It lets people learn things they didn't think they
could learn before, and so in a sense it is all about potential."


   - Steve Ballmer


-

Josh Young
Educational Technology Coordinator

*Mount Desert Island Regional School System - AOS 91*
1081 Eagle Lake Road, Mt. Desert, ME 04660
P.O. Box 60, Mt. Desert, ME 04660
Phone: (207) 288-5049 | Fax: (207) 288-5071
___



Can we have more details on the DDoS attack?  Are you sure their are
no other solutions then shutting it down?  Why would it freeze?  Is a
service hosted by pfSense being attacked?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold






--
Robert Obrinsky President Robert Obrinsky Industries, LLC 1908 SE 45th 
Avenue Portland, OR 97215 Office 503.719.4387 Mobile 503.752.8489 
http://www.roillc.com

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Shutdown Interface?

2015-12-10 Thread pfsense

> yes but it doesn't do what he asked about and is a little out dated.
> 
> this is more outdated but works on the current version and can block the ip 
> or drop the interface so the upstream provider will cut the bandwidth to that 
> ip address so his network users still have internet and aren't bottlenecked.
> 
> 
> Robert
> .
> 
> https://www.reddit.com/r/PFSENSE/comments/2xguy2/fail2ban_like_package/ 
> 

> On Dec 9, 2015, at 10:24 AM, Steve Yates  wrote:
> 
> pfse...@douwifi.com wrote on Tue, Dec 8 2015 at 4:41 pm:
> 
>>> Doug what doese that link have to do with Pfsense and how does it help
>>> him configure pfsense.
> 
>   It has advice and instructions for configuring pfSense to mitigate 
> DDOS, with screenshots. :)  Including rate limiting on firewall rules which 
> the OP specifically asked about and I'll admit I didn't realize pfSense had.
> 
>   I couldn't find a "part 2" though...?
> 
>>> A quick Googling came up with this:
>>> 
>>> http://www.wedebugyou.com/2012/11/how-to-prevent-and-mitigate-ddos-part1/
> 
> 
> --
> 
> Steve Yates
> ITS, Inc.
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Shutdown Interface?

2015-12-10 Thread pfsense

Yes I did read that rather outdated and irrelevant article from 2010 or 2011, 
but once again and for the second time what relevance is it to his question and 
how to shutdown the interface. I am not a very PC person so forgive me I have 
never found a use for it or need. Did you read and comprehend what he is 
question was and he wanted ??  or just asume something and hit google. ? hmmm. 
He asked a valid question and has a need to shut down the interface when it is 
under attack. anyone with any actual practical knowledge and experience knows 
the upstream provider will still pass traffic even if your box Pfsense or other 
drops it before it gets to the internal network. your bandwidth is still used 
up.
until the upstream provider limits it or sees its down and stops it for a min 
or until the interface come backup.  so in a dual wan or hosting even dropping 
the offending packets your bandwidth is still used up.

Robert 

> On Dec 9, 2015, at 8:47 AM, Doug Lytle  wrote:
> 
> - On Dec 8, 2015, at 5:41 PM,  pfse...@douwifi.com wrote:
> 
>> Doug what doese that link have to do with Pfsense and how does it help him 
>> configure pfsense.
>> 
>> 
>> Robert
> 
> 
> Apparently you didn't review the link, I'll quote a portion of it:
> 
> 
> "How to prevent and mititgate DDoS part 1?"
> 
> "Hardware and software For the demonstration we will use pfSense 2.1"
> 
> Doug
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Shutdown Interface?

2015-12-09 Thread Joshua Young

We have been working with our ISP but I'm looking for something we might be
able to do here.  I don't think there is a service that is being attacked.
It's always the same interface - it's the public NAT IP for our High School
wireless network.  We change the public IP address and the problem goes
away - until the new one is discovered.  We have cycled through I think 6
IP addresses now that are available to us from at least two different
ranges.  We have not re-used any addresses - most of the addresses that
were targeted are currently disabled by our ISP.

On Tue, Dec 8, 2015 at 10:05 AM, WebDawg  wrote:

> On Mon, Dec 7, 2015 at 10:40 AM, Joshua Young 
> wrote:
> > We have recently been the target of DDoS attacks.  The same interface is
> > targeted each time.  Is there any way we can shut down this interface
> > automatically when this happens?  Is there a way to maybe set a threshold
> > for traffic and, when it reaches that threshold, automatically shut the
> > interface down?  When this happens, the pfSense is overwhelmed and our
> > entire WAN loses Internet connectivity.  I figure if we can shut the one
> > interface that is being targeted down before the traffic gets to the
> point
> > of saturating our bandwidth, then just that one network would be down
> > rather than our entire WAN.
> >
> > --
> >
> -
> > "The number one benefit of information technology is that it empowers
> > people to do what they want to do. It lets people be creative. It lets
> > people be productive. It lets people learn things they didn't think they
> > could learn before, and so in a sense it is all about potential."
> >
> >
> >   - Steve Ballmer
> >
> -
> >
> > Josh Young
> > Educational Technology Coordinator
> >
> > *Mount Desert Island Regional School System - AOS 91*
> > 1081 Eagle Lake Road, Mt. Desert, ME 04660
> > P.O. Box 60, Mt. Desert, ME 04660
> > Phone: (207) 288-5049 | Fax: (207) 288-5071
> > ___
>
>
>
> Can we have more details on the DDoS attack?  Are you sure their are
> no other solutions then shutting it down?  Why would it freeze?  Is a
> service hosted by pfSense being attacked?
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
-
"The number one benefit of information technology is that it empowers
people to do what they want to do. It lets people be creative. It lets
people be productive. It lets people learn things they didn't think they
could learn before, and so in a sense it is all about potential."


  - Steve Ballmer
-

Josh Young
Educational Technology Coordinator

*Mount Desert Island Regional School System - AOS 91*
1081 Eagle Lake Road, Mt. Desert, ME 04660
P.O. Box 60, Mt. Desert, ME 04660
Phone: (207) 288-5049 | Fax: (207) 288-5071
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Shutdown Interface?

2015-12-09 Thread Steve Yates

pfse...@douwifi.com wrote on Tue, Dec 8 2015 at 4:41 pm:

>> Doug what doese that link have to do with Pfsense and how does it help
>> him configure pfsense.

It has advice and instructions for configuring pfSense to mitigate 
DDOS, with screenshots. :)  Including rate limiting on firewall rules which the 
OP specifically asked about and I'll admit I didn't realize pfSense had.

I couldn't find a "part 2" though...?

>> A quick Googling came up with this:
>> 
>> http://www.wedebugyou.com/2012/11/how-to-prevent-and-mitigate-ddos-part1/


--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Shutdown Interface?

2015-12-09 Thread Doug Lytle

- On Dec 8, 2015, at 5:41 PM,  pfse...@douwifi.com wrote:

> Doug what doese that link have to do with Pfsense and how does it help him 
> configure pfsense.
> 
> 
> Robert

Apparently you didn't review the link, I'll quote a portion of it:

"How to prevent and mititgate DDoS part 1?"

"Hardware and software For the demonstration we will use pfSense 2.1"

Doug
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Shutdown Interface?

2015-12-09 Thread pfsense

> Doug what doese that link have to do with Pfsense and how does it help him 
> configure pfsense.
> 
> 
> Robert

> if you cannot help remain silent !!
> 

> On Dec 8, 2015, at 4:05 AM, Doug Lytle  wrote:
> 
> Joshua Young wrote:
>> We have recently been the target of DDoS attacks.  The same interface is
>> targeted each time.  Is there any way we can shut down this interface
> 
> A quick Googling came up with this:
> 
> http://www.wedebugyou.com/2012/11/how-to-prevent-and-mitigate-ddos-part1/
> 
> Doug
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Shutdown Interface?

2015-12-08 Thread Oliver Hansen

On Dec 7, 2015 8:13 PM, "Joshua Young"  wrote:
>
> We have recently been the target of DDoS attacks.  The same interface is
> targeted each time.  Is there any way we can shut down this interface
> automatically when this happens?  Is there a way to maybe set a threshold
> for traffic and, when it reaches that threshold, automatically shut the
> interface down?  When this happens, the pfSense is overwhelmed and our
> entire WAN loses Internet connectivity.  I figure if we can shut the one
> interface that is being targeted down before the traffic gets to the point
> of saturating our bandwidth, then just that one network would be down
> rather than our entire WAN.
>
> --
>
-
> "The number one benefit of information technology is that it empowers
> people to do what they want to do. It lets people be creative. It lets
> people be productive. It lets people learn things they didn't think they
> could learn before, and so in a sense it is all about potential."
>
>
>   - Steve Ballmer
>
-
>
> Josh Young
> Educational Technology Coordinator
>
> *Mount Desert Island Regional School System - AOS 91*
> 1081 Eagle Lake Road, Mt. Desert, ME 04660
> P.O. Box 60, Mt. Desert, ME 04660
> Phone: (207) 288-5049 | Fax: (207) 288-5071
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

Not that I've heard of. You can write a script to check the bandwidth and
shut down the interface and then set it as a cron job.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Shutdown Interface?

2015-12-08 Thread WebDawg

On Mon, Dec 7, 2015 at 10:40 AM, Joshua Young  wrote:
> We have recently been the target of DDoS attacks.  The same interface is
> targeted each time.  Is there any way we can shut down this interface
> automatically when this happens?  Is there a way to maybe set a threshold
> for traffic and, when it reaches that threshold, automatically shut the
> interface down?  When this happens, the pfSense is overwhelmed and our
> entire WAN loses Internet connectivity.  I figure if we can shut the one
> interface that is being targeted down before the traffic gets to the point
> of saturating our bandwidth, then just that one network would be down
> rather than our entire WAN.
>
> --
> -
> "The number one benefit of information technology is that it empowers
> people to do what they want to do. It lets people be creative. It lets
> people be productive. It lets people learn things they didn't think they
> could learn before, and so in a sense it is all about potential."
>
>
>   - Steve Ballmer
> -
>
> Josh Young
> Educational Technology Coordinator
>
> *Mount Desert Island Regional School System - AOS 91*
> 1081 Eagle Lake Road, Mt. Desert, ME 04660
> P.O. Box 60, Mt. Desert, ME 04660
> Phone: (207) 288-5049 | Fax: (207) 288-5071
> ___



Can we have more details on the DDoS attack?  Are you sure their are
no other solutions then shutting it down?  Why would it freeze?  Is a
service hosted by pfSense being attacked?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Shutdown Interface?

2015-12-08 Thread Doug Lytle


Joshua Young wrote:

We have recently been the target of DDoS attacks.  The same interface is
targeted each time.  Is there any way we can shut down this interface


A quick Googling came up with this:

http://www.wedebugyou.com/2012/11/how-to-prevent-and-mitigate-ddos-part1/

Doug

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Shutdown Interface?

2015-12-08 Thread Robert Obrinsky

Found the description of the attack on GRC. Of course, it is rather 
dated (2001), but may offer some help in dealing with your ISP.

http://www.crime-research.org/library/grcdos.pdf

On 12/7/2015 8:40 AM, Joshua Young wrote:

We have recently been the target of DDoS attacks.  The same interface is
targeted each time.  Is there any way we can shut down this interface
automatically when this happens?  Is there a way to maybe set a threshold
for traffic and, when it reaches that threshold, automatically shut the
interface down?  When this happens, the pfSense is overwhelmed and our
entire WAN loses Internet connectivity.  I figure if we can shut the one
interface that is being targeted down before the traffic gets to the point
of saturating our bandwidth, then just that one network would be down
rather than our entire WAN.



--
Robert Obrinsky President Robert Obrinsky Industries, LLC 1908 SE 45th 
Avenue Portland, OR 97215 Office 503.719.4387 Mobile 503.752.8489 
http://www.roillc.com

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Shutdown Interface?

2015-12-08 Thread Robert Obrinsky

I don't have an answer to your question, but I would recommend that you 
contact your ISP and talk to them about the problem. I have not read his 
blog in some time, but Steve Gibson (of Gibson Research - Shields Up and 
Spinrite software) described a problem he was having with DDoS attacks 
and his ISP was able to protect him from them.


Is your interface set to drop packets silently, or does it respond with 
ICMP destination unreachable/port unreachable messages?


And, from the forums:
https://forum.pfsense.org/index.php?topic=87369.5;wap2

One more thought:
http://www.wedebugyou.com/2012/11/how-to-prevent-and-mitigate-ddos-part1/


On 12/7/2015 8:40 AM, Joshua Young wrote:

We have recently been the target of DDoS attacks.  The same interface is
targeted each time.  Is there any way we can shut down this interface
automatically when this happens?  Is there a way to maybe set a threshold
for traffic and, when it reaches that threshold, automatically shut the
interface down?  When this happens, the pfSense is overwhelmed and our
entire WAN loses Internet connectivity.  I figure if we can shut the one
interface that is being targeted down before the traffic gets to the point
of saturating our bandwidth, then just that one network would be down
rather than our entire WAN.



--
Robert Obrinsky President Robert Obrinsky Industries, LLC 1908 SE 45th 
Avenue Portland, OR 97215 Office 503.719.4387 Mobile 503.752.8489 
http://www.roillc.com

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Shutdown Interface?

Re: [pfSense] Shutdown Interface?

Re: [pfSense] Shutdown Interface?

Re: [pfSense] Shutdown Interface?

Re: [pfSense] Shutdown Interface?

Re: [pfSense] Shutdown Interface?

Re: [pfSense] Shutdown Interface?

Re: [pfSense] Shutdown Interface?

Re: [pfSense] Shutdown Interface?

Re: [pfSense] Shutdown Interface?

Re: [pfSense] Shutdown Interface?

Re: [pfSense] Shutdown Interface?

Re: [pfSense] Shutdown Interface?

Re: [pfSense] Shutdown Interface?

Re: [pfSense] Shutdown Interface?

Re: [pfSense] Shutdown Interface?

Re: [pfSense] Shutdown Interface?

Re: [pfSense] Shutdown Interface?

Re: [pfSense] Shutdown Interface?

Re: [pfSense] Shutdown Interface?

Re: [pfSense] Shutdown Interface?

Re: [pfSense] Shutdown Interface?

Re: [pfSense] Shutdown Interface?

23 matches

Site Navigation

Mail list logo

Footer information