Pfsense freeze at DDoS attack - Tuning?
-
I know you have my IP in Denmark Supermule… Please spare me (-;
-
I will mate :D
This is just testing and you can bring down just about anything out there. Its quite scary.
The state table fills up instantly but everything is responsive and nothing in the logs. Your drop pipeline is just filled and nothing to do about it since pfSense doesnt seem to be able to handle this specific kind of SYN traffic.
-
I just checked the servers running there on public IPs - Nothing hit yet.
Hope it stays that way. -
Dont worry mate. It wont come from any of us here.
But it can be ordered online and its very easy to take down pfsense.org and the forum if we want to (we dont).
The first seconds of the attack, pfsense dies on the WAN side while states are flooding but only on 1 specific type of SYN. Nothing in the logs and nothing reported by SNort as well.
-
I mean surely if they can methodically drop traffic you want they can methodically drop traffic you don't want?
A SYN is a SYN is a SYN generally, which is why null routing the IP being attacked is the typical response. Can't tell the difference between legit users and the DDoS traffic in most cases.
Chris…This is my home setup that we did testing on.
It doesnt use all ressources but the connection (100mbit) goes offline at once.
Again, what test is this? PM me if you don't want to post publicly.
-
Hi Chris
We use something like this
https://www.vdos-s.com
You can order any kind of attack using whatever length of time you want.
You can write to Lowprofile and give him a testing address to see how this is seen by pfSense and the results.
When using port 80 and for my own testing purposes, I have pfblockerNG running and it takes a lot of traffic away from the webserver itself but pfSense dies fast anyway. I see around 20mbit of traffic on the server and its responsive from the inside and you dont see anything wrong with it.
Its just offline.
-
@cmb:
I mean surely if they can methodically drop traffic you want they can methodically drop traffic you don't want?
A SYN is a SYN is a SYN generally, which is why null routing the IP being attacked is the typical response. Can't tell the difference between legit users and the DDoS traffic in most cases.
Chris…This is my home setup that we did testing on.
It doesnt use all ressources but the connection (100mbit) goes offline at once.
Again, what test is this? PM me if you don't want to post publicly.
PM sent! - regarding null route, i am running a layer 2 setup and a null route trough my providor cost me $200 each time :) despite i have prof. dos protection.
-
There is an option in PFSense that has a linear reduction in state live time after a threshhold. I'm not at home to look at it, but I think it's under advanced or something in the general settings.
In my case, I have it set to 3mil state, with a 4mil hard cap. So after 3mil states are created, the live time of those states will keep reducing at more states get added. By the time 4mil states exist, if a state isn't refreshed almost immediately, the state will get killed as being "old".
Another idea that popped into my head, I have no practice in these kinds of issues, but it seems as if the client machine is ACKing all of those SYNs, as it should. Would rate limiting new connections per client be an acceptable trade-off, assuming it can be done at a per client level.
Another possibility could be rate limiting via traffic shaping, how much bandwidth SYN packets get for that customer.
Just throwing around ideas.
I forgot to reply you! :-\ thanks for the tips! :)
I will try playing with those states, if others have better ideas let us know :) -
Its not to be found under system -> advanced…
-
It's where ever you set max states, I think. I forgot to check when I got home yesterday….. Definitely in the menu at the top left.
-
FOUND IT!
Thanks mate! ;)
-
FOUND IT!
Thanks mate! ;)
In case others wonder
Advanced->Firewall/NAT->Firewall Adaptive Timeouts
-
Any progress of this? We are currently testing different attack scenarios and settings and currently we can make pfsense survive the floods but only barely.
-
Supermule, at what rates and what type of CPU?
-
Currently seeing 7,5mbit and 140K states and the pipe becomes unstable using ping….
-
We could test againt http://store.netgate.com and see how robust it is??
I mean we report something and no reply at all to what can be done to make it more robust/resistent.
-
Its a weekend man - I'm sure they will be getting back with you Monday. No need to DDOS their stores I think. haha
-
I wouldnt do that, but hey…. what to do to get their attention to this pretty important issue :)
-
I imagine they want to give their GFs and wives a little personal time sometimes…
Maybe there is currently no fix? Nothing to say? Things are always quieter on the forum weekends...
Plus in texas where a few of the main guys are located, its like EARLY morning.
-
Only the earliest bird cataches the fattest worms ;)