DDoS pfSense dies on XSYN and OVH scripts.
-
edit: scratch this, "tot_len" looks to be passed around. datagram may be MAX_PACKET_SIZE, but tot_len is used.
Just glancing through the code, it looks as if it's sending SYN packets with data in them.memset(datagram, 0, MAX_PACKET_SIZE); setup_ip_header(iph); setup_tcp_header(tcph); tcph->dest = htons(floodport); iph->daddr = sin.sin_addr.s_addr; iph->check = csum ((unsigned short *) datagram, iph->tot_len);
~~What's also interesting is that MAX_PACKET_SIZE is defined as 4096, which would mean it would need to get fragmented.
So assuming that I'm reading the code correctly, we're talking about 4KB SYN packets that are fragmented. I don't know if cookies are useful against SYN packets with data, yet alone fragmented.~~
Again, we'll have to see some example dumps.
-
Wouldnt that rule cover it ?
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED BAD-TRAFFIC data in TCP SYN packet"; flow:stateless; dsize:>6; flags:S,12; reference:url,www.cert.org/incident_notes/IN-99-07.html; classtype:misc-activity; sid:526; rev:14;)
Still…w/o a pcap its all mombo jumbo...
http://manual.snort.org/node33.html
When we see it, its possible to play with flow, seq, ttl, size...etc...
F.
-
100 packets capture, full log view.
10:30:39.512882 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 15609, offset 0, flags [none], proto TCP (6), length 40)
124.126.1.96.12168 > 80.197.144.99.80: Flags, cksum 0x1957 (correct), seq 128778240, win 0, length 0
10:30:39.512889 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 55269, offset 0, flags [none], proto TCP (6), length 40)
146.165.177.209.56401 > 80.197.144.99.80: Flags, cksum 0xcd22 (correct), seq 3766353920, win 0, length 0
10:30:39.512894 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 5448, offset 0, flags [none], proto TCP (6), length 40)
142.229.57.191.34479 > 80.197.144.99.80: Flags, cksum 0xc66e (correct), seq 3097952256, win 0, length 0
10:30:39.512900 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 8226, offset 0, flags [none], proto TCP (6), length 40)
98.180.161.223.44311 > 80.197.144.99.80: Flags, cksum 0x7344 (correct), seq 2843344896, win 0, length 0
10:30:39.512905 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 25435, offset 0, flags [none], proto TCP (6), length 40)
181.82.109.47.28448 > 80.197.144.99.80: Flags, cksum 0x81eb (correct), seq 3134980096, win 0, length 0
10:30:39.512916 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 62920, offset 0, flags [none], proto TCP (6), length 40)
121.220.208.214.22518 > 80.197.144.99.80: Flags, cksum 0xd178 (correct), seq 1514668032, win 0, length 0
10:30:39.512923 00:0c:29:d4:ef:2c > 4c:00:82:ee:cf:d9, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 127, id 255, offset 0, flags [DF], proto TCP (6), length 44)
80.197.144.99.80 > 66.247.29.183.56944: Flags [S.], cksum 0x6ac1 (correct), seq 974824198, ack 261881857, win 8192, options [mss 1460], length 0
10:30:39.512929 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 59540, offset 0, flags [none], proto TCP (6), length 40)
119.25.145.201.64822 > 80.197.144.99.80: Flags, cksum 0x766d (correct), seq 1373831168, win 0, length 0
10:30:39.512979 00:0c:29:d4:ef:2c > 4c:00:82:ee:cf:d9, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 127, id 256, offset 0, flags [DF], proto TCP (6), length 44)
80.197.144.99.80 > 63.118.133.110.20856: Flags [S.], cksum 0x7898 (correct), seq 850731965, ack 2973040641, win 8192, options [mss 1460], length 0
10:30:39.513032 00:0c:29:d4:ef:2c > 4c:00:82:ee:cf:d9, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 127, id 257, offset 0, flags [DF], proto TCP (6), length 44)
80.197.144.99.80 > 194.251.26.247.64387: Flags [S.], cksum 0xa9d7 (correct), seq 780280974, ack 3225288705, win 8192, options [mss 1460], length 0
10:30:39.513069 00:0c:29:d4:ef:2c > 4c:00:82:ee:cf:d9, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 127, id 258, offset 0, flags [DF], proto TCP (6), length 44)
80.197.144.99.80 > 24.254.59.7.40452: Flags [S.], cksum 0x341d (correct), seq 2301007402, ack 1361379329, win 8192, options [mss 1460], length 0
10:30:39.513105 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 58084, offset 0, flags [none], proto TCP (6), length 40)
132.56.232.167.26069 > 80.197.144.99.80: Flags, cksum 0x8170 (correct), seq 2051276800, win 0, length 0
10:30:39.513111 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 25107, offset 0, flags [none], proto TCP (6), length 40)
217.240.47.106.37841 > 80.197.144.99.80: Flags, cksum 0xe3a3 (correct), seq 1301938176, win 0, length 0
10:30:39.513116 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 32613, offset 0, flags [none], proto TCP (6), length 40)
203.27.178.8.42841 > 80.197.144.99.80: Flags, cksum 0x25e2 (correct), seq 2215247872, win 0, length 0
10:30:39.513129 00:0c:29:d4:ef:2c > 4c:00:82:ee:cf:d9, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 127, id 259, offset 0, flags [DF], proto TCP (6), length 44)
80.197.144.99.80 > 90.32.123.216.56239: Flags [S.], cksum 0xf380 (correct), seq 3316227498, ack 2384396289, win 8192, options [mss 1460], length 0
10:30:39.513138 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 40324, offset 0, flags [none], proto TCP (6), length 40)
138.148.30.251.1975 > 80.197.144.99.80: Flags, cksum 0x8f77 (correct), seq 2376859648, win 0, length 0
10:30:39.513143 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 38512, offset 0, flags [none], proto TCP (6), length 40)
126.105.143.214.53029 > 80.197.144.99.80: Flags, cksum 0x7de9 (correct), seq 1931149312, win 0, length 0
10:30:39.513148 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 21053, offset 0, flags [none], proto TCP (6), length 40)
125.41.180.149.55609 > 80.197.144.99.80: Flags, cksum 0x6edc (correct), seq 1419051008, win 0, length 0
10:30:39.513153 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 12435, offset 0, flags [none], proto TCP (6), length 40)
134.129.53.201.56635 > 80.197.144.99.80: Flags, cksum 0x2d4e (correct), seq 127270912, win 0, length 0
10:30:39.513157 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 13121, offset 0, flags [none], proto TCP (6), length 40)
135.55.17.72.64101 > 80.197.144.99.80: Flags, cksum 0x481a (correct), seq 4083810304, win 0, length 0
10:30:39.513171 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 42913, offset 0, flags [none], proto TCP (6), length 40)
146.221.69.178.15824 > 80.197.144.99.80: Flags, cksum 0x8c3e (correct), seq 734789632, win 0, length 0
10:30:39.513176 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 37333, offset 0, flags [none], proto TCP (6), length 40)
140.154.19.76.28946 > 80.197.144.99.80: Flags, cksum 0xd946 (correct), seq 3827957760, win 0, length 0
10:30:39.513181 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 24788, offset 0, flags [none], proto TCP (6), length 40)
183.130.66.135.25433 > 80.197.144.99.80: Flags, cksum 0xfc53 (correct), seq 1957888000, win 0, length 0
10:30:39.513185 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 41109, offset 0, flags [none], proto TCP (6), length 40)
96.250.94.246.26385 > 80.197.144.99.80: Flags, cksum 0x4012 (correct), seq 1733689344, win 0, length 0
10:30:39.513193 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 36016, offset 0, flags [none], proto TCP (6), length 40)
42.233.83.95.32369 > 80.197.144.99.80: Flags, cksum 0x7181 (correct), seq 1613692928, win 0, length 0
10:30:39.513198 00:0c:29:d4:ef:2c > 4c:00:82:ee:cf:d9, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 127, id 260, offset 0, flags [DF], proto TCP (6), length 44)
80.197.144.99.80 > 174.62.195.127.17079: Flags [S.], cksum 0x5c79 (correct), seq 3567492465, ack 328794113, win 8192, options [mss 1460], length 0
10:30:39.513204 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 23555, offset 0, flags [none], proto TCP (6), length 40)
133.237.77.73.15765 > 80.197.144.99.80: Flags, cksum 0x3c91 (correct), seq 2165112832, win 0, length 0
10:30:39.513210 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 20533, offset 0, flags [none], proto TCP (6), length 40)
194.82.219.188.26186 > 80.197.144.99.80: Flags, cksum 0x1c61 (correct), seq 2913927168, win 0, length 0
10:30:39.513215 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 29941, offset 0, flags [none], proto TCP (6), length 40)
2.175.116.175.56648 > 80.197.144.99.80: Flags, cksum 0xabbc (correct), seq 3456499712, win 0, length 0
10:30:39.513219 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 11326, offset 0, flags [none], proto TCP (6), length 40)
77.224.169.12.27795 > 80.197.144.99.80: Flags, cksum 0x47d4 (correct), seq 588644352, win 0, length 0
10:30:39.513229 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 21511, offset 0, flags [none], proto TCP (6), length 40)
59.27.175.229.27925 > 80.197.144.99.80: Flags, cksum 0x7142 (correct), seq 85065728, win 0, length 0
10:30:39.513234 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 35835, offset 0, flags [none], proto TCP (6), length 40)
177.25.59.242.24222 > 80.197.144.99.80: Flags, cksum 0x5223 (correct), seq 815595520, win 0, length 0
10:30:39.513238 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 31334, offset 0, flags [none], proto TCP (6), length 40)
169.234.140.63.18063 > 80.197.144.99.80: Flags, cksum 0x10e5 (correct), seq 1087111168, win 0, length 0
10:30:39.513243 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 44152, offset 0, flags [none], proto TCP (6), length 40)
8.84.151.119.14632 > 80.197.144.99.80: Flags, cksum 0x93e6 (correct), seq 1636827136, win 0, length 0
10:30:39.513248 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 7412, offset 0, flags [none], proto TCP (6), length 40)
221.82.85.146.9125 > 80.197.144.99.80: Flags, cksum 0xbb9d (correct), seq 3158441984, win 0, length 0
10:30:39.513255 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 21173, offset 0, flags [none], proto TCP (6), length 40)
46.183.138.45.4730 > 80.197.144.99.80: Flags, cksum 0x9113 (correct), seq 1912078336, win 0, length 0
10:30:39.513259 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 25625, offset 0, flags [none], proto TCP (6), length 40)
181.120.7.61.44990 > 80.197.144.99.80: Flags, cksum 0xb9d9 (correct), seq 2820407296, win 0, length 0
10:30:39.513264 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 37713, offset 0, flags [none], proto TCP (6), length 40)
125.185.112.15.5395 > 80.197.144.99.80: Flags, cksum 0xab36 (correct), seq 542638080, win 0, length 0
10:30:39.513269 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 34266, offset 0, flags [none], proto TCP (6), length 40)
44.27.106.98.25930 > 80.197.144.99.80: Flags, cksum 0xb80e (correct), seq 445906944, win 0, length 0
10:30:39.513274 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 3720, offset 0, flags [none], proto TCP (6), length 40)
55.5.128.17.25981 > 80.197.144.99.80: Flags, cksum 0xad36 (correct), seq 77594624, win 0, length 0
10:30:39.513281 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 57514, offset 0, flags [none], proto TCP (6), length 40)
135.124.240.221.8915 > 80.197.144.99.80: Flags, cksum 0xb024 (correct), seq 2199388160, win 0, length 0
10:30:39.513285 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 3550, offset 0, flags [none], proto TCP (6), length 40)
91.191.90.204.49263 > 80.197.144.99.80: Flags, cksum 0x8286 (correct), seq 3571974144, win 0, length 0
10:30:39.513290 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 30244, offset 0, flags [none], proto TCP (6), length 40)
37.132.112.137.61653 > 80.197.144.99.80: Flags, cksum 0x12fe (correct), seq 881393664, win 0, length 0
10:30:39.513295 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 27034, offset 0, flags [none], proto TCP (6), length 40)
190.99.190.67.52735 > 80.197.144.99.80: Flags, cksum 0xd9a5 (correct), seq 2854027264, win 0, length 0
10:30:39.513299 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 64661, offset 0, flags [none], proto TCP (6), length 40)
118.109.155.34.23598 > 80.197.144.99.80: Flags, cksum 0x4deb (correct), seq 314638336, win 0, length 0
10:30:39.513306 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 56817, offset 0, flags [none], proto TCP (6), length 40)
88.170.38.208.52781 > 80.197.144.99.80: Flags, cksum 0xf671 (correct), seq 2320498688, win 0, length 0
10:30:39.513311 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 34707, offset 0, flags [none], proto TCP (6), length 40)
110.166.177.145.23689 > 80.197.144.99.80: Flags, cksum 0x71d9 (correct), seq 3754885120, win 0, length 0
10:30:39.513315 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 55794, offset 0, flags [none], proto TCP (6), length 40)
94.43.246.118.9586 > 80.197.144.99.80: Flags, cksum 0xb3bd (correct), seq 2694316032, win 0, length 0
10:30:39.513320 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 52303, offset 0, flags [none], proto TCP (6), length 40)
213.89.0.90.40753 > 80.197.144.99.80: Flags, cksum 0x68b3 (correct), seq 4040228864, win 0, length 0
10:30:39.513326 00:0c:29:d4:ef:2c > 4c:00:82:ee:cf:d9, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 127, id 261, offset 0, flags [DF], proto TCP (6), length 44)
80.197.144.99.80 > 216.157.141.54.9831: Flags [S.], cksum 0x9a91 (correct), seq 2949879653, ack 680984577, win 8192, options [mss 1460], length 0
10:30:39.513332 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 28785, offset 0, flags [none], proto TCP (6), length 40)
91.25.215.249.27514 > 80.197.144.99.80: Flags, cksum 0x59f5 (correct), seq 3588685824, win 0, length 0
10:30:39.513344 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 52053, offset 0, flags [none], proto TCP (6), length 40)
177.13.166.204.32876 > 80.197.144.99.80: Flags, cksum 0xf5b1 (correct), seq 7471104, win 0, length 0
10:30:39.513349 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 1589, offset 0, flags [none], proto TCP (6), length 40)
219.189.244.20.17361 > 80.197.144.99.80: Flags, cksum 0xb745 (correct), seq 58785792, win 0, length 0
10:30:39.513354 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 26750, offset 0, flags [none], proto TCP (6), length 40)
63.48.11.253.57233 > 80.197.144.99.80: Flags, cksum 0x0017 (correct), seq 2744385536, win 0, length 0
10:30:39.513358 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 23381, offset 0, flags [none], proto TCP (6), length 40)
200.108.55.167.11648 > 80.197.144.99.80: Flags, cksum 0x85d7 (correct), seq 452919296, win 0, length 0
10:30:39.513363 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 53581, offset 0, flags [none], proto TCP (6), length 40)
37.55.185.36.60295 > 80.197.144.99.80: Flags, cksum 0xebcb (correct), seq 414908416, win 0, length 0
10:30:39.513371 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 39173, offset 0, flags [none], proto TCP (6), length 40)
67.87.60.183.39445 > 80.197.144.99.80: Flags, cksum 0x4793 (correct), seq 1823670272, win 0, length 0
10:30:39.513376 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 23125, offset 0, flags [none], proto TCP (6), length 40)
36.103.23.138.50138 > 80.197.144.99.80: Flags, cksum 0xed1f (correct), seq 3783131136, win 0, length 0
10:30:39.513381 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 59205, offset 0, flags [none], proto TCP (6), length 40)
121.160.127.210.11664 > 80.197.144.99.80: Flags, cksum 0xe00b (correct), seq 3344629760, win 0, length 0
10:30:39.513386 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 6157, offset 0, flags [none], proto TCP (6), length 40)
76.192.43.182.47350 > 80.197.144.99.80: Flags, cksum 0xf953 (correct), seq 2745761792, win 0, length 0
10:30:39.513391 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 42872, offset 0, flags [none], proto TCP (6), length 40)
115.58.37.86.40228 > 80.197.144.99.80: Flags, cksum 0x76e6 (correct), seq 567214080, win 0, length 0
10:30:39.513398 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 29957, offset 0, flags [none], proto TCP (6), length 40)
176.6.73.99.25224 > 80.197.144.99.80: Flags, cksum 0x13a0 (correct), seq 1591214080, win 0, length 0
10:30:39.513403 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 48650, offset 0, flags [none], proto TCP (6), length 40)
8.68.171.27.33870 > 80.197.144.99.80: Flags, cksum 0x11e1 (correct), seq 2228944896, win 0, length 0
10:30:39.513408 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 26457, offset 0, flags [none], proto TCP (6), length 40)
94.38.149.168.14235 > 80.197.144.99.80: Flags, cksum 0xf10a (correct), seq 2985623552, win 0, length 0
10:30:39.513413 00:0c:29:d4:ef:2c > 4c:00:82:ee:cf:d9, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 127, id 262, offset 0, flags [DF], proto TCP (6), length 44)
80.197.144.99.80 > 131.66.70.131.22774: Flags [S.], cksum 0x91bc (correct), seq 57387859, ack 862322689, win 8192, options [mss 1460], length 0
10:30:39.513419 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 22501, offset 0, flags [none], proto TCP (6), length 40)
195.160.175.23.11191 > 80.197.144.99.80: Flags, cksum 0x4ebf (correct), seq 3778740224, win 0, length 0
10:30:39.513425 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 27576, offset 0, flags [none], proto TCP (6), length 40)
223.227.192.194.46917 > 80.197.144.99.80: Flags, cksum 0x9152 (correct), seq 3844800512, win 0, length 0
10:30:39.513441 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 43814, offset 0, flags [none], proto TCP (6), length 40)
204.24.245.215.843 > 80.197.144.99.80: Flags, cksum 0x66a0 (correct), seq 2727215104, win 0, length 0
10:30:39.513445 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 12500, offset 0, flags [none], proto TCP (6), length 40)
189.41.42.152.5526 > 80.197.144.99.80: Flags, cksum 0x8104 (correct), seq 1343094784, win 0, length 0
10:30:39.513450 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 34489, offset 0, flags [none], proto TCP (6), length 40)
169.236.74.249.18580 > 80.197.144.99.80: Flags, cksum 0x6010 (correct), seq 819986432, win 0, length 0
10:30:39.513455 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 35681, offset 0, flags [none], proto TCP (6), length 40)
147.250.245.164.48820 > 80.197.144.99.80: Flags, cksum 0x729d (correct), seq 326696960, win 0, length 0
10:30:39.513460 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 30816, offset 0, flags [none], proto TCP (6), length 40)
193.179.137.86.23006 > 80.197.144.99.80: Flags, cksum 0x9c8a (correct), seq 2364997632, win 0, length 0
10:30:39.513467 00:0c:29:d4:ef:2c > 4c:00:82:ee:cf:d9, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 127, id 263, offset 0, flags [DF], proto TCP (6), length 44)
80.197.144.99.80 > 44.0.129.199.14410: Flags [S.], cksum 0xa854 (correct), seq 374786227, ack 690814977, win 8192, options [mss 1460], length 0
10:30:39.513480 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 18975, offset 0, flags [none], proto TCP (6), length 40)
121.19.8.238.5090 > 80.197.144.99.80: Flags, cksum 0x3603 (correct), seq 42205184, win 0, length 0
10:30:39.513487 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 8278, offset 0, flags [none], proto TCP (6), length 40)
216.22.210.177.33699 > 80.197.144.99.80: Flags, cksum 0xe79f (correct), seq 3093168128, win 0, length 0
10:30:39.513492 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 8242, offset 0, flags [none], proto TCP (6), length 40)
194.244.107.73.23806 > 80.197.144.99.80: Flags, cksum 0xcd4b (correct), seq 1977745408, win 0, length 0
10:30:39.513497 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 26266, offset 0, flags [none], proto TCP (6), length 40)
107.175.181.36.50561 > 80.197.144.99.80: Flags, cksum 0x5fe4 (correct), seq 2284847104, win 0, length 0
10:30:39.513503 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 48456, offset 0, flags [none], proto TCP (6), length 40)
57.198.49.57.38923 > 80.197.144.99.80: Flags, cksum 0x8dd6 (correct), seq 1032388608, win 0, length 0
10:30:39.513508 00:0c:29:d4:ef:2c > 4c:00:82:ee:cf:d9, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 127, id 264, offset 0, flags [DF], proto TCP (6), length 44)
80.197.144.99.80 > 2.198.224.97.4328: Flags [S.], cksum 0x8cf1 (correct), seq 2618298798, ack 1742536705, win 8192, options [mss 1460], length 0
10:30:39.513524 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 10933, offset 0, flags [none], proto TCP (6), length 40)
118.47.10.10.37511 > 80.197.144.99.80: Flags, cksum 0x77e0 (correct), seq 1137246208, win 0, length 0
10:30:39.513530 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 18890, offset 0, flags [none], proto TCP (6), length 40)
14.97.99.96.64512 > 80.197.144.99.80: Flags, cksum 0x444d (correct), seq 475725824, win 0, length 0
10:30:39.513535 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 56690, offset 0, flags [none], proto TCP (6), length 40)
213.185.151.218.28524 > 80.197.144.99.80: Flags, cksum 0x4ab7 (correct), seq 2796683264, win 0, length 0
10:30:39.513540 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 10111, offset 0, flags [none], proto TCP (6), length 40)
115.139.24.147.18068 > 80.197.144.99.80: Flags, cksum 0x0220 (correct), seq 4187422720, win 0, length 0
10:30:39.513544 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 52710, offset 0, flags [none], proto TCP (6), length 40)
71.173.24.70.9953 > 80.197.144.99.80: Flags, cksum 0x6dc6 (correct), seq 3654221824, win 0, length 0
10:30:39.513552 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 14602, offset 0, flags [none], proto TCP (6), length 40)
204.177.133.114.52854 > 80.197.144.99.80: Flags, cksum 0xccdc (correct), seq 3773956096, win 0, length 0
10:30:39.513557 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 246, id 57342, offset 0, flags [none], proto TCP (6), length 40)
193.10.116.216.4499 > 80.197.144.99.80: Flags [R.], cksum 0x62a2 (correct), seq 412614657, ack 272030576, win 8192, length 0
10:30:39.513562 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 56996, offset 0, flags [none], proto TCP (6), length 40)
177.149.63.251.26442 > 80.197.144.99.80: Flags, cksum 0xb4e5 (correct), seq 3232301056, win 0, length 0
10:30:39.513566 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 15885, offset 0, flags [none], proto TCP (6), length 40)
40.70.22.155.19703 > 80.197.144.99.80: Flags, cksum 0xdf78 (correct), seq 1662582784, win 0, length 0
10:30:39.513572 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 32827, offset 0, flags [none], proto TCP (6), length 40)
125.223.226.137.39765 > 80.197.144.99.80: Flags, cksum 0xd449 (correct), seq 4267769856, win 0, length 0
10:30:39.513577 00:0c:29:d4:ef:2c > 4c:00:82:ee:cf:d9, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 127, id 265, offset 0, flags [DF], proto TCP (6), length 44)
80.197.144.99.80 > 170.170.168.141.23827: Flags [S.], cksum 0x2af0 (correct), seq 705454965, ack 769654785, win 8192, options [mss 1460], length 0
10:30:39.513586 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 50018, offset 0, flags [none], proto TCP (6), length 40)
159.28.31.228.48209 > 80.197.144.99.80: Flags, cksum 0xa3a2 (correct), seq 2943680512, win 0, length 0
10:30:39.513591 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 63898, offset 0, flags [none], proto TCP (6), length 40)
111.154.126.162.61744 > 80.197.144.99.80: Flags, cksum 0x74ec (correct), seq 2047868928, win 0, length 0
10:30:39.513596 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 38298, offset 0, flags [none], proto TCP (6), length 40)
16.190.128.37.39392 > 80.197.144.99.80: Flags, cksum 0x6e4b (correct), seq 895156224, win 0, length 0
10:30:39.513601 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 59199, offset 0, flags [none], proto TCP (6), length 40)
89.254.93.239.54706 > 80.197.144.99.80: Flags, cksum 0x0020 (correct), seq 1084882944, win 0, length 0
10:30:39.513606 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 49941, offset 0, flags [none], proto TCP (6), length 40)
152.194.98.1.53241 > 80.197.144.99.80: Flags, cksum 0x89ae (correct), seq 2046689280, win 0, length 0
10:30:39.513622 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 4695, offset 0, flags [none], proto TCP (6), length 40)
189.190.106.217.65131 > 80.197.144.99.80: Flags, cksum 0x1ba0 (correct), seq 2345009152, win 0, length 0
10:30:39.513651 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 12874, offset 0, flags [none], proto TCP (6), length 40)
219.88.57.232.26546 > 80.197.144.99.80: Flags, cksum 0x0244 (correct), seq 1328742400, win 0, length 0
10:30:39.513676 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 28154, offset 0, flags [none], proto TCP (6), length 40)
50.153.123.61.7786 > 80.197.144.99.80: Flags, cksum 0x0193 (correct), seq 9895936, win 0, length 0
10:30:39.513681 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 29173, offset 0, flags [none], proto TCP (6), length 40)
145.164.64.162.49027 > 80.197.144.99.80: Flags, cksum 0x9d60 (correct), seq 2671706112, win 0, length 0
10:30:39.513686 00:0c:29:d4:ef:2c > 4c:00:82:ee:cf:d9, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 127, id 266, offset 0, flags [DF], proto TCP (6), length 44)
80.197.144.99.80 > 86.202.253.217.29017: Flags [S.], cksum 0xdb07 (correct), seq 719532581, ack 2559508481, win 8192, options [mss 1460], length 0 -
I am, by the way, running stateless as a test since it doesnt have any impact running with SYN cookies enabled :)
-
After re-reading the code this morning and looking at the packet dump, it seems "tot_len" is being set and used as the IP+TCP header size.
iph->tot_len = sizeof(struct iphdr) + sizeof(struct tcphdr);
No fragmented data wielding SYN packets here.
-
I've stopped a ddos on my network setting advanced rules options to limit connections per second and total states per ip.
Then I've reduced rule blocked time.My link dropped from 100% to 30% during attack.
-
In this case, total states per IP won't help because they're spoofed.
I don't see what's so special about these packets. They're all the standard 60 length IP+TCP, and 40 length IP. Both IP and TCP checksums are valid, IP has no flags, TCP's only flag is SYN, random source ports, random Seq numbers. I must be missing something, but it looks like a normal SYN flood, but it isn't.
-
Send me a PM with your ext. IP and pfsense behind looking at port80.
Then I will flood it for 180 secs and then you will see how it responds.
It just goes offline instantly…
-
I don't know, sounds like a sure-fire way to get packet-loss on my quality graph. Almost up to a week of 0 packets lost and a 1.2ms avg ping. Maybe in a few days, once I take a picture :-)
I don't mean 0.0% packet-loss, I mean 0 packets in actual numbers. I already have 0.0%, but there's some red on that quality graph.
-
Chris would get back to us with testing IP but not heard anything yet.
-
Look at the ping to the LAN side of pfSense…
http://youtu.be/HoGQ_2sg0J0
LAN goes offline and tries to keep going. On the test server I see maybe 25mbit of traffic and nothing that renderes it useless at all.
Pf just dies completely. With this I can take down any site running pfSense if I want to.
If you run Windows FW on the server with no pfSense infront, no issues.
-
FYI, your public IP is shown on your interfaces widget.
Another FYI, I get a nice stable ping to your gateway. Nice upstream :-)
Ping statistics for 80.x.x.x:
Packets: Sent = 149, Received = 149, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 138ms, Maximum = 141ms, Average = 139ms4 15 ms 15 ms 16 ms tengigabitethernet4-4.ar7.chi1.gblx.net [67.17.213.117]
5 108 ms 107 ms 108 ms 4.68.110.157
6 103 ms 103 ms 103 ms ae-116-3502.edge3.London1.Level3.net [4.69.166.134]
7 103 ms 103 ms 103 ms ae-116-3502.edge3.London1.Level3.net [4.69.166.134]
8 138 ms 138 ms 138 ms tdcdenmark-level3-xe.london1.Level3.net [4.68.63.90]
9 139 ms 140 ms 140 ms ae1-0.taanqe10.dk.ip.tdc.net [83.88.22.247]
10 140 ms 140 ms 141 ms cpe.ae11-388.taanqe10.dk.customer.tdc.net [62.243.131.198]
11 139 ms 139 ms 140 ms 80.x.x.x -
:D Its my home network so I dont care about that.
Just removed Squid to see if it handles traffic better…
Edit: It didnt.... :(
-
And the forum goes down at once as well.
Its the engine of PfSense thats the issue here. There is core functionality hit here and nothing done in the gui or elsewhere can prevent it.
-
So what's up here? Anyone tested this on FreeBSD?
-
Spoofed packet attacks may be used to overload the kernel route cache. A
spoofed packet attack uses random source IPs to cause the kernel to generate
a temporary cached route in the route table, Route cache is an extraneous
caching layer mapping interfaces to routes to IPs and saves a lookup to the
Forward Information Base (FIB); a routing table within the network stack. The
IPv4 routing cache was intended to eliminate a FIB lookup and increase
performance. While a good idea in principle, unfortunately it provided a very
small performance boost in less than 10% of connections and opens up the
possibility of a DoS vector. Setting rtexpire and rtminexpire to two(2)
seconds should be sufficient to protect the route table from attack.
http://www.es.freebsd.org/doc/handbook/securing-freebsd.html
net.inet.ip.rtexpire=2 # (default 3600)
net.inet.ip.rtminexpire=2 # (default 10 )
#net.inet.ip.rtmaxcache=128 # (default 128 )Anybody has any comments on this because it seems to be deep within the routing stack that this occurs.
-
Just out of curiosity, why would you want to store individual IP addresses in a routing table? Isn't that the whole point subnet masks and routing tables?
-
I dont know… its nowhere to be found in pfSense so I added it manually to get rid of it...
-
So, is there progress being made in coming up with a set of safe defaults that mitigate this attack in 2.2.1?
-
So the change helped?
It sounds like the best thing might be to completely disable. Since that probably can't happen, I wonder if there are values smaller than 2 seconds that may be better. I could see low end boxes being much more sensitive to this issue. A lot of packets can come in a 2 second window with more and more people getting 100Mb+ connections.