Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 691 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG 550 performance slow, high "Sessions" amount

Josh Rogalski

We have an XG 550 rev. 2 configured with 2 different internet connections and a 10 gig fiber card for the LAN port.  We have been experiencing DDOS attacks which we have an external service mitigating.  What we have found is that at certain times during the attacks or even after they have subsided we experience the XG getting extremely high session counts (1.5 million, 1.8 million, even 2.1 million at one point). This causes our internet connectivity to grind to a halt for some amount of time.  The slowness is unusable in most cases.

Sometimes we disconnect the ISP line that doesn't have DDOS mitigation on it to see if we can fix the issue.  It almost feels like when we do that, the session count and memory usage climbs through the roof. In one case we had the second line disconnected, the attack was mitigated on the first line, but the session count and memory stayed high.  We rebooted the firewall, down for 10 minutes then the sessions went right back up!  We plugged the second line back in and immediately the session count came down.  So confused. Can anyone shed any light on this?



This thread was automatically locked due to age.
  • 0

    Sessions are basically conntrack table entries. Seems like some system is overload your system with sessions. You should get some expertise inhouse to find the Rootcause of this attacked. 

    It could be a attack or a network issue with loops. 

    Maybe try the following: 

    Conntrack is resonsible for the sessions in XG firewall. 

    You can check which kind of connections is filling up this but you need Linux CLI knowledge to do so: 

    conntrack -L will list all current session (Basically 1.8M entries). 

    You can Pipe them up and start grap. conntrack -L | grep NEW | wc -l      Will list basically all new Sessions current seens and count them. 

    https://www.linuxtopia.org/Linux_Firewall_iptables/x1347.html

  • 0

    1.8 Million is definitely too high.

    Could be some attack that is "consuming" sessions. Or maybe some packets with randomizes source addresses going against a service you are providing (e.g. Webserver, DNS, ...)

    1) Check the rules WAN -> LAN and whether IDS is switched on.

    2) Set up a mirror port and try to find out whats actually happening.



    I did not completely understand what you are doing with your two internet lines though ....

    (From our experience it is not possible to defend a DDoS attack on the device itself. So mitigating at the ISP is the way you need to do this. However be prepared that the second line could also be attacked (we noticed wandering of the attack depending on the provider ...).

  • 0 in reply to BeEf

    We have 2 totally separate ISP's that go into the XG 550 (with SD-Wan policy routes balancing traffic).  One has DDOS mitigation at the ISP level, and one doesn't have it (being replaced later this year).  When we get attacked we have at times disconnected the 2nd line that doesn't have DDOS protection on it.  It stops the attack from that unprotected line, but it feels like the appliance raises it's sessions and memory just because that second line is disconnected.

  • 0 in reply to Josh Rogalski

    Maybe DDoS mitigation is not working and the attack is coming from the other side ...

    BeEf said:
    2) Set up a mirror port and try to find out whats actually happening.