Pfsense ddos crash

[Mornincupofhate]

So I want to use pfsense as one of my home firewalls, but I've heard that it crashes at very low strength ddos attacks, like 1/4 of the entire pipe. Anyone know why this happens? You'd think it would be choking the CPU, but none of the hardware was maxed out.

[deleted_member_030719]

It would make a lot more sense to just get a DDoS protected VPN than rely on software for DDoS protection. If you use software for DDoS protection then all they have to do is overload your port speed. 

[KuJoe]

Your internet port will be saturated before your pfSense firewall crashes.

[Mornincupofhate]

Just now, Jed M said:

It would make a lot more sense to just get a DDoS protected VPN than rely on software for DDoS protection. If you use software for DDoS protection then all they have to do is overload your port speed. 

I don't want a ddos protection service. My question is, why do ddos attacks crash pfsense when it isn't even filling up the pipe? 

[deleted_member_030719]

Just now, Mornincupofhate said:

I don't want a ddos protection service. My question is, why do ddos attacks crash pfsense when it isn't even filling up the pipe? 

Because it could overload the router's ability to process the traffic.

[Mornincupofhate]

Just now, KuJoe said:

Your internet port will be saturated before your pfSense firewall crashes.

That's not how it was before. I had a dedi with 1gbps incoming max, 64gb ram, and 8 physical cores with pfsense.

 

a 200mbps flood comes in and bye bye server

[KuJoe]

Also keep in mind there are a lot of different types of DDoS attacks. Volumetric attacks (UDP) will saturate a port while SYN floods (TCP) will overload the router with packets so you can effectively bring down a network without using all of the bandwidth.

[Mornincupofhate]

Just now, Jed M said:

Because it could overload the router's ability to process the traffic.

CPU and ram were never near maxing out. 

[KuJoe]

Just now, Mornincupofhate said:

That's not how it was before. I had a dedi with 1gbps incoming max, 64gb ram, and 8 physical cores with pfsense.

 

a 200mbps flood comes in and bye bye server

Yup, you only need about 250k PPS to bring down an x86 router.

[deleted_member_030719]

Just now, Mornincupofhate said:

CPU and ram were never near maxing out. 

Could you tell what method of attack it was? TCP or UDP? Layer 3/4 or 7?

[Mornincupofhate]

1 minute ago, KuJoe said:

Also keep in mind there are a lot of different types of DDoS attacks. Volumetric attacks (UDP) will saturate a port while SYN floods (TCP) will overload the router with packets so you can effectively bring down a network without using all of the bandwidth.

The packets were UDP. There was no syn ack involved. 

[Mornincupofhate]

Just now, Jed M said:

Could you tell what method of attack it was? TCP or UDP? Layer 3/4 or 7?

Layer 4 udp packets with spoofed sources. The data center has been blocking the attacks since I've reported it, but it's going to keep me up at night if I can't solve this

[deleted_member_030719]

Just now, Mornincupofhate said:

The packets were UDP. There was no syn ack involved. 

Router most likely then. Either that or saturated port. 

[KuJoe]

Just now, Mornincupofhate said:

The packets were UDP. There was no syn ack involved. 

Were you using the onboard NICs?

[deleted_member_030719]

Just now, Mornincupofhate said:

Layer 4 udp packets with spoofed sources. The data center has been blocking the attacks since I've reported it, but it's going to keep me up at night if I can't solve this

Could they be exploiting something with PfSense's routing? 

[Mornincupofhate]

Just now, KuJoe said:

Were you using the onboard NICs?

Most likely. The servers the DC used are custom, so I don't really know.

[Mornincupofhate]

1 minute ago, Jed M said:

Could they be exploiting something with PfSense's routing? 

Doubtful. It was just a raw UDP flood, nothing special.

I googled the problem and a bunch of other people have experienced this also. Weird.

[KuJoe]

2 minutes ago, Mornincupofhate said:

Most likely. The servers the DC used are custom, so I don't really know.

Pop in some enterprise PCI-E NICs and that will help. Even if it's a server grade motherboard the NICs aren't designed to handle high volumes of packet routing, higher end NICs should handle it better.

 

EDIT: I'm heading out to dinner now but when I get home I'll try to get you some numbers. A hosting provider I'm friendly with actually ran some tests on different NICs (onboard and PCI-E) and how they perform under DoS attacks in a Vyatta server which should translate well to pfSense.

[Mornincupofhate]

1 minute ago, KuJoe said:

Pop in some enterprise PCI-E NICs and that will help. Even if it's a server grade motherboard the NICs aren't designed to handle high volumes of packet routing, higher end NICs should handle it better.

Which provider should I buy from?

[KuJoe]

1 hour ago, Mornincupofhate said:

Which provider should I buy from?

Intel NICs are some of the best. I don't have specific models off-hand though.

[Mornincupofhate]

13 hours ago, KuJoe said:

Intel NICs are some of the best. I don't have specific models off-hand though.

Ah alright. Would NIC-teaming help any?

[KuJoe]

1 hour ago, Mornincupofhate said:

Ah alright. Would NIC-teaming help any?

For onboard NICs I don't believe so, you can give it a try though.