This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to stop IPSec DDOS attack?

My System log (Sophos XG310, running 18.5.2 MR-2-Build380) is filling up with messages like these:

2022-01-21 15:03:41     IPSec     Failed     parsing IKE header from 45.189.204.1[17425] failed

2022-01-21 15:03:31     IPSec     Failed     parsing IKE header from 45.189.204.1[10306] failed

They're coming in every 5 to 10 seconds. The IP address (45.189.204.1) is not one of mine. I have no idea who it is.

Here's what DOESN'T work. I have an active firewall rule at the very top of the list with a Drop action for Source zone: WAN, Source networks and devices: 45.189.204.1, Destination zone: Any, Destination networks: Any, Services: Any. Since activating the rule, there are no hits on it recorded in the Firewall log, but entries in the System log described above continue.

What am I missing? 

 



This thread was automatically locked due to age.
  • You need a blackhole NAT rule for this kind of traffic support.sophos.com/.../KB-000038943

    __________________________________________________________________________________________________________________

  • OK, I tried this. It may be working -- I'm not positive because the attack stopped a couple of hours before I added the blackhole NAT. I have no doubt that they'll be back, however.

    There's still a problem. We have two branch offices with XG firewalls that have site-to-site VPN connections back to the head office. I didn't want to blackhole those, so I added their IP addresses in the Exclusion section of the blackhole firewall rule. With the rule active, the site-to-site VPN connections remain active and functional. However, if either of the VPN connections drops for some reason (we have a somewhat flaky network connection), the branch offices can no longer initiate a re-connection. However, if I initiate the reconnection at the head office, the branch offices will reconnect.