pfsense help

PPLdude

PPLdude

Expert Member
Joined
Oct 3, 2011
Messages
1,716
Reaction score
663
Location
South
Hello guys,

When i do a DRDoS using DNS (I think) my pfsesne blocks it, however I still get timed out.

Does anyone know why this happens? Is there even a way to defend against this attack?
 
Need some more detail on the network topology and the attack that you are using, but basically if you use a DNS forwarder, set a rule to only allow traffic to and from the external DNS. That way all that an attacker can do is exhaust your bandwidth, not machine resources, which you can then manage with your upstream bandwidth provider using additional filtering.
 
infscrtyrisk said:
Need some more detail on the network topology and the attack that you are using, but basically if you use a DNS forwarder, set a rule to only allow traffic to and from the external DNS. That way all that an attacker can do is exhaust your bandwidth, not machine resources, which you can then manage with your upstream bandwidth provider using additional filtering.
Click to expand...

Basically Internet -> Pfsense -> Rest of network (Including Pi-hole which is using 8.8.8.8/8.8.4.4)

It's not crashing the machine running pfsense, just flooding it, which i'm trying to prevent. Just wasn't sure if that's possible
 
What exactly is the attack you are launching? This is far too vague.
 
infscrtyrisk said:
https://arxiv.org/pdf/1505.07892.pdf
https://www.thinkmind.org/download.php?articleid=internet_2016_2_10_40041
https://www.us-cert.gov/ncas/alerts/TA14-017A
Click to expand...

I meant what is he actually doing.

The following doesn't inspire confidence:
static_sa said:
DRDoS using DNS (I think)
Click to expand...

Linking to white papers of different types of amplification attacks is all good and well, but the exact attack allows looking at how the router would behave and explain why it is that way and how to defend against it.
 
Gnome said:
I meant what is he actually doing.

The following doesn't inspire confidence:


Linking to white papers of different types of amplification attacks is all good and well, but the exact attack allows looking at how the router would behave and explain why it is that way and how to defend against it.
Click to expand...

Agreed that the info is a bit thin, which is why I made some assumptions of my own. The OP is referring to a DRDoS attack using DNS, and that, in its simplest form, means spoofed IP to public DNS over udp. Not necessarily at application layer, more like at OSI layer 5.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X