pfsense help

PPLdude

PPLdude

Expert Member
Joined
Oct 3, 2011
Messages
1,618
Hello guys,

When i do a DRDoS using DNS (I think) my pfsesne blocks it, however I still get timed out.

Does anyone know why this happens? Is there even a way to defend against this attack?
 
I

infscrtyrisk

Expert Member
Joined
Nov 22, 2014
Messages
1,296
Need some more detail on the network topology and the attack that you are using, but basically if you use a DNS forwarder, set a rule to only allow traffic to and from the external DNS. That way all that an attacker can do is exhaust your bandwidth, not machine resources, which you can then manage with your upstream bandwidth provider using additional filtering.
 
PPLdude

PPLdude

Expert Member
Joined
Oct 3, 2011
Messages
1,618
infscrtyrisk said:
Need some more detail on the network topology and the attack that you are using, but basically if you use a DNS forwarder, set a rule to only allow traffic to and from the external DNS. That way all that an attacker can do is exhaust your bandwidth, not machine resources, which you can then manage with your upstream bandwidth provider using additional filtering.
Click to expand...

Basically Internet -> Pfsense -> Rest of network (Including Pi-hole which is using 8.8.8.8/8.8.4.4)

It's not crashing the machine running pfsense, just flooding it, which i'm trying to prevent. Just wasn't sure if that's possible
 
Gnome

Gnome

Executive Member
Joined
Sep 19, 2005
Messages
7,208
What exactly is the attack you are launching? This is far too vague.
 
Gnome

Gnome

Executive Member
Joined
Sep 19, 2005
Messages
7,208
infscrtyrisk said:
https://arxiv.org/pdf/1505.07892.pdf
https://www.thinkmind.org/download.php?articleid=internet_2016_2_10_40041
https://www.us-cert.gov/ncas/alerts/TA14-017A
Click to expand...

I meant what is he actually doing.

The following doesn't inspire confidence:
static_sa said:
DRDoS using DNS (I think)
Click to expand...

Linking to white papers of different types of amplification attacks is all good and well, but the exact attack allows looking at how the router would behave and explain why it is that way and how to defend against it.
 
I

infscrtyrisk

Expert Member
Joined
Nov 22, 2014
Messages
1,296
Gnome said:
I meant what is he actually doing.

The following doesn't inspire confidence:


Linking to white papers of different types of amplification attacks is all good and well, but the exact attack allows looking at how the router would behave and explain why it is that way and how to defend against it.
Click to expand...

Agreed that the info is a bit thin, which is why I made some assumptions of my own. The OP is referring to a DRDoS attack using DNS, and that, in its simplest form, means spoofed IP to public DNS over udp. Not necessarily at application layer, more like at OSI layer 5.
 
You must log in or register to reply here.
Top