DDoS pfSense dies on XSYN and OVH scripts.
-
Better??
-
Have you tried PFSense 2.2? I know FreeBSD 10.1 was tested and PFSense 2.1.5 was tested, but those are two quite different versions of FreeBSD.
I could let you try it against my box, but only a few quick tests, wife likes to watch Netflix :-)
-
We have had ZERO response from the pfSense guys. This is quite disturbing since we can take down any site protected by pfSense as it is.
Right now its better to run without pf at all and rely on windows Firewall on VM's and let pf handle the routing. Only way to survive the attacks as it is.
Thinking og getting my old ISA2006 online again to test and see how it behaves.
You didn't try, now did you? Did you send a message to coreteam? To Chris, or me, or…?
No, you just randomly attacked the store and forum.
-
WTF???!!!
Lowprofile is the one having this dialog with Chris and we are working hard on trying to solve this!?
Spent most of friday evening in a datacenter discussing options with Lowprofile in here…
So you are fucking acusing me of taking the store and forum offline...
You take those words right back or you will hear from a lawyer ....THATS NOT OK TO INSINUATE THAT AT ALL!!
-
WTF???!!!
Lowprofile is the one having this dialog with Chris and we are working hard on trying to solve this!?
Spent most of friday evening in a datacenter discussing options with Lowprofile in here…
So you are fucking acusing me of taking the store and forum offline...
You take those words right back or you will hear from a lawyer ....THATS NOT OK TO INSINUATE THAT AT ALL!!
You said you did right here:
https://forum.pfsense.org/index.php?topic=88694.msg491103#msg491103"It didnt help. It takes this forum and store.netgate.com down as well easily."
It didnt help. It takes this forum and store.netgate.com down as well easily.
Throughput needs only to be about 20mbit before it dies and cant handle the traffic.
Its no issue if you use windows firewall as the frontend and the webserver itself can easily handle the traffic both regarding backlog and overall traffic and packets.
Its pfSense related and take it down instantly.
-
Its pfSense related and take it down instantly.
So it does NOT happen on FreeBSD?
Now that I've got the "script" (it's C code) that Supermule posted compiling, we'll look at it.
Reporting this to Chris in private is so seriously Not how this is done.
There was no email to security@
There was no email to coreteam@ -
popcorn
-
Dude….pls. READ what it says....
IT takes the forum and the store offline. IT didnt say I did it.... but suggests that YOU are vulnerable as well ....
So I inform you and then its my fault and me beeing behind it??
I am only reporting whats found among people I talk to IRL frequently. They test like mad people at the moment to come up with whats wrong with the software and I only report it when and IF we find something....
-
I havent reported anything to Chris. Lowprofile is the one handling that and the one in touch with Chris.
He has reported our findings or no findings… He is the one and NOT me....
So then you wouldnt find any email from me to the adresses you wrote because I didnt send one!
Its THAT obvious...
@gonzopancho:
Its pfSense related and take it down instantly.
So it does NOT happen on FreeBSD?
Now that I've got the "script" (it's C code) that Supermule posted compiling, we'll look at it.
Reporting this to Chris in private is so seriously Not how this is done.
There was no email to security@
There was no email to coreteam@ -
This is exactly why I never joke about farting in a crowded elevator to my GF.
I'll mention it in jest. Someone will actually do it and suddenly…. I'm the bad guy... :-\ -
Dude….pls. READ what it says....
IT takes the forum and the store offline. IT didnt say I did it.... but suggests that YOU are vulnerable as well ....
So I inform you and then its my fault and me beeing behind it??
I am only reporting whats found among people I talk to IRL frequently. They test like mad people at the moment to come up with whats wrong with the software and I only report it when and IF we find something....
Reporting issues with the software is fine. Reporting issues with the software in such a way that someone can reproduce them is even better (so your 'script' is actually useful).
Attacking other people's infrastructure (which you reported having done) is not fine.
And, frankly, you DID NOT INFORM ME.
Having a private conversation with Chris (and at this point I don't care if it was you, or Lowprofile , or someone else) and having a discussion in the forum where you report that "no response from the pfsense guys"
We have had ZERO response from the pfSense guys. This is quite disturbing since we can take down any site protected by pfSense as it is.
Right now its better to run without pf at all and rely on windows Firewall on VM's and let pf handle the routing. Only way to survive the attacks as it is.
Thinking og getting my old ISA2006 online again to test and see how it behaves.
is not responsible, or friendly, or even … professional.
-
This is exactly why I never joke about farting in a crowded elevator to my GF.
I'll mention it in jest. Someone will actually do it and suddenly…. I'm the bad guy... :-\So your assertion is that Supermule was joking when he reported:
It didnt help. It takes this forum and store.netgate.com down as well easily.
-
I'd have though he was just assuming.
-
Did the guy reporting that WTC towers collapsed fly the plane?
Did Charlie Hebdo hire those who almost wiped out the magazine??
Because I report it in here, then I am suddenly responsible for any attack that takes either this site or any other site offline?
Is that professional to accuse me of doing that or could we somehow get to the bottom of this as fast as possible so we can be ahead of those who wants us of the interwebs??
Guess what I prefer….. but hey. I reported it, so I must be the one....
I DDoS the shit out of myself and my own sites at the moment since I am trying to combat this with what I have and what I can tweak in the code.
We have gotten a long way but are not there yet...
-
So this thing is a fairly straight-forward SYN flood.
It does a bunch of work to support random generating source addresses.
rand_cmwc(void) generates values that can easily be turned into IP addresses
so, for instance, assuming that you correct rand_cmwc() and init_rand(), then making a small test driver:
int main()
{
int i;
struct in_addr a;init_rand(time(NULL));
for (i = 0; i < 9; i++) {
a.s_addr = rand_cmwc();
printf("Random address: %s\n", inet_ntoa(a));
}
}will yield (as an example, your IP addresses will be different)
[jim@qattest0 ~]$ ./a.out
Random IP addressr: 8.25.10.176
Random IP addressr: 48.232.250.197
Random IP addressr: 240.99.230.219
Random IP addressr: 93.5.177.255
Random IP addressr: 52.97.250.155
Random IP addressr: 97.95.88.207
Random IP addressr: 60.97.173.24
Random IP addressr: 188.23.14.176
Random IP addressr: 194.233.252.197The main part of the code implements a function named "flood()", which is run by one or more threads.
Flood runs in a loop, using a random source address, IP id, and TCP source port and TCP sequence number. -
Yes go on??
-
Did the guy reporting that WTC towers collapsed fly the plane?
Did Charlie Hebdo hire those who almost wiped out the magazine??
Meh.
Because I report it in here, then I am suddenly responsible for any attack that takes either this site or any other site offline?
No, because you report to have used this to attack "this site" (the forum) and "store.negate.com" makes you, by your own admission, someone who used this to attack our infrastructure.
Is that professional to accuse me of doing that or could we somehow get to the bottom of this as fast as possible so we can be ahead of those who wants us of the interwebs??
What? You reported that you took down store.netgate.com and the forum.
I DDoS the shit out of myself and my own sites at the moment since I am trying to combat this with what I have and what I can tweak in the code.
We have gotten a long way but are not there yet…
I don't care what you do to your on infrastructure.
-
Great…
-
I'd have though he was just assuming.
He made a definitive statement. "It takes this forum and store.netgate.com down as well easily."
He did not say, "It would probably take this forum and store.netgate.com down as well easily."
He did not say, "I assume it takes this forum and store.netgate.com down as well easily."
Even if he didn't attack these sites, (and, if you read carefully, I have not accused, only reported back what he said),
He complained about a "lack of response" from the pfsense team, but:Neither he or lowprofile contacted coreteam@
Neither he or low profile contacted security@All I have is:
-
reports that Chris was involved, somehow.
-
knowledge that the forum was taken offline by what appears to be a similar attack on Saturday
-
people running around here reporting that this is broken in pfSense but not in FreeBSD, when, given inspection of the "script" (code) posted, there is no reason to believe that such a statement is true.
-
-
Yes go on??
Go on? First we seek to understand what is happening, and now we'll go test it, and if there is something we can do about it (it's poorly named, I don't see how it generates a SYN at all, this may be a flaw we can advantage), we will develop a fix and either document it (if it's something that can be done from the GUI or by, i.e. plugging tunables into loader.conf.local) or develop a patch and get it into a release.