firewall recommendations?

[TJStamp]

With pfsense blocking incoming connection attempts as opposed to his router acknowledging them, whoever is behind the dDos will have no visibility of their attack rate/strength or effectiveness (another good reason to always block or filter ICMP traffic). in 90% of the ddos attacks I've seen/experienced the attacker gives up or switches vectors pretty quickly after you start dropping their traffic even if that is done at the CPE.

 

Obviously an ISP based solution would be better but he's already ruled that out as an option.

 

@acdcman200 - It would be helpful to find out exactly what you mean by ddos as this is a pretty encompassing term which can mean a lot of different things, there may be a completely firewall free way to accomplish what you're after

[Blade of Grass]

With pfsense blocking incoming connection attempts as opposed to his router acknowledging them, whoever is behind the dDos will have no visibility of their attack rate/strength or effectiveness (another good reason to always block or filter ICMP traffic). in 90% of the ddos attacks I've seen/experienced the attacker gives up or switches vectors pretty quickly after you start dropping their traffic even if that is done at the CPE.

 

Obviously an ISP based solution would be better but he's already ruled that out as an option.

 

@acdcman200 - It would be helpful to find out exactly what you mean by ddos as this is a pretty encompassing term which can mean a lot of different things, there may be a completely firewall free way to accomplish what you're after

Except in this case the attackers are his brothers friends, so I doubt they'll stop just because they aren't getting acks. 

 

As I and other have said (both in this and your previous thread) a firewall will not stop the attacks, nor will it help to mitigate them. If your ISP is unwilling to help you then your options are to switch providers (or threaten to switch) or get your parents to tell your brother to tell them to stop. 

[TJStamp]

hah ... just read the other thread...     sounds like its LAN based... just change internal IP and see if it stops

[twosome]

I would also suggest Sophos next to pfsense.

Attaching a screen dump of my dashboard.

[Akolyte]

Sophos has a pretty good firewall, but my Router automatically just blocks it by blocking the ping to it.  Unless you dos it from your own network you can't.  Its a N66u. 

 

If they are good hackers, they will get around it and you will need better gear.  Just buy a new router and crank up the protection, or as others suggested build yourself a nice pfsense router.  

Generally really high level hardware firewalls are for enterprises or businesses where its really under threat by people who are actually targeting it for financial purposes, also get a good antivirus and firewall on your computer.  

And I'm not sure if you can, but see if you can blacklist public IP addresses from Dossing your router, 

[dzonidev]

Due to my main computer being ddosed and after discovering my brother had others doing it, i need to purchase a firewall. I have 1000 dollars to spend on one. I need something that i can connect that will help prevent ddos attacks. Ive already contacted my internet service provider and they say theres nothing they can do to change my ip address (or there just not willing to.) I don't want to use a vpn as the slow down my internet way to much. If you can please recommend me something that is extremely reliable. honestly im thinking about something enterprise grade level. if you can think of good ones please write the name of it in the comments. or if you have personal experience with this please pm me. 

Thanks guys

 

There's no way in hell you can mitigate a DDoS attack (in a home network) because it will most likely over saturate the backbone before it even reaches you. Mitigation machines are fine tuned firewalls that cost a tens of thousands of dollars.

 

Second thing that you need to worry about is getting null-routed or even suspended by your ISP. No ISP want's their network to suffer because of someone.

 

Talk to whoever had this bright idea to do this to you.

 

 

This is definitely the most concise response here so far. PFSense won't help. A VPN won't help. A DDoS works by flooding the incoming pipe with connection requests. Even refusing those requests takes up resources. Especially since PFSense is on the wrong end of the network line to do any mitigation at all.

 

DDoS mitigation services work as a middle man between your connection. Your true IP Address is never exposed in this scenario. As one IP Address is flooded by the DDoS attack, the mitigation service slips your connection to a new IP Address, and bounces you around, filtering out as much traffic as possible.

 

If your true IP Address is already exposed then I don't really see anything that can be done. Using a VPN won't change the IP Address your Modem has, it will just protect you from having your IP Address exposed in the future. Anyone who already knows it won't suddenly forget about it. A VPN doesn't block or cancel out traffic on your regular IP Address, because the VPN service is connecting to that regular IP Address, and using it to communicate with you.

 

The only real solution I can see is changing your IP Address. Once you do that, using a VPN to protect your IP from further exposure is a good way to prevent DDoS exposure, but it won't help until you have a new, "secret" IP Address. @acdcman200 you need to convince your ISP to give you a new IP Address. If all else fails, and this is a serious issue, then you could cancel your connection, wait for it to be disconnected, then have the service hooked up again - that would definitely give you a new IP. But I would straight up ask your ISP why they won't give you a new IP Address. Furthermore, DDoS attacks are illegal in basically almost every country. Why are your brothers friends DDoSing you to begin with? Is he that big of an asshole? How old is he? Does he live at home? If you cannot convince him to stop, then you need to go to your parents or the police.

 

@Eniqmatic

@Darren

 

Also what he says.

[Crion]

What kind of speeds are we talking here?  If we're talking enterprise equipment, I'd recommend either the Juniper SRX line or something from Palo Alto Networks, both of which have ddos protection but you'll have to tune it for your network so that it doesn't block legit traffic.  

 

EDIT: Before someone asks or mentions it, I don't think that Cisco's ASA with FirePOWER has anything on either of the above.  FirePOWER is the result of Cisco's purchase of Sourcefire a few years back and as it's been bolted into the firewall solution rather than designed from the ground up as a threat protection platform like both the SRX line and PA Network's Next-Gen Firewall product.  I've looked into all three and personally prefer Palo Alto's due to ease of use once you wrap your head around how to write rules in it.

 

EDIT2: Now that I think about it, Palo Alto's solution may fall outside your price range though.  I think the smallest unit they have starts at $2000 USD.  In which case, maybe a Juniper SRX 210 might be the better option.