Are there any services open on that interface so that students can
access servers from remote sites? Does your public address respond to
ICMP? Is it possible that some of your students' computers/devices are
members of a botnet and reporting back to a command and control server?
Have you or someone you have hired conducted a penetration test of your
public addresses? It seems too convenient that you are continually being
rediscovered. How long before the new public address gets attacked?
As far as outbound traffic is concerned, are there any protocols that
are restricted, or is anything allowed out? I have seen hedge funds that
were very serious about security where they only allowed their staff to
access certain services from specific workstations. Granted, they almost
certainly had fewer employees than you have students, but the idea is
that they only allowed outbound services that were necessary for their
business, and even then restricted those services to the individuals who
required them. I am certain that the challenges of a high school
population are much more difficult to control.
Bob
On 12/9/2015 12:32 PM, Joshua Young wrote:
We have been working with our ISP but I'm looking for something we might be
able to do here. I don't think there is a service that is being attacked.
It's always the same interface - it's the public NAT IP for our High School
wireless network. We change the public IP address and the problem goes
away - until the new one is discovered. We have cycled through I think 6
IP addresses now that are available to us from at least two different
ranges. We have not re-used any addresses - most of the addresses that
were targeted are currently disabled by our ISP.
On Tue, Dec 8, 2015 at 10:05 AM, WebDawg <[email protected]> wrote:
On Mon, Dec 7, 2015 at 10:40 AM, Joshua Young <[email protected]>
wrote:
We have recently been the target of DDoS attacks. The same interface is
targeted each time. Is there any way we can shut down this interface
automatically when this happens? Is there a way to maybe set a threshold
for traffic and, when it reaches that threshold, automatically shut the
interface down? When this happens, the pfSense is overwhelmed and our
entire WAN loses Internet connectivity. I figure if we can shut the one
interface that is being targeted down before the traffic gets to the
point
of saturating our bandwidth, then just that one network would be down
rather than our entire WAN.
--
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
"The number one benefit of information technology is that it empowers
people to do what they want to do. It lets people be creative. It lets
people be productive. It lets people learn things they didn't think they
could learn before, and so in a sense it is all about potential."
- Steve Ballmer
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Josh Young
Educational Technology Coordinator
*Mount Desert Island Regional School System - AOS 91*
1081 Eagle Lake Road, Mt. Desert, ME 04660
P.O. Box 60, Mt. Desert, ME 04660
Phone: (207) 288-5049 | Fax: (207) 288-5071
_______________________________________________
Can we have more details on the DDoS attack? Are you sure their are
no other solutions then shutting it down? Why would it freeze? Is a
service hosted by pfSense being attacked?
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
--
Robert Obrinsky President Robert Obrinsky Industries, LLC 1908 SE 45th
Avenue Portland, OR 97215 Office 503.719.4387 Mobile 503.752.8489
http://www.roillc.com
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
