What is the biggest attack in GBPS you stopped
-
Try to add this manually in the system -> tunables
kern.ipc.somaxconn = 32768
And test again. We have seen some improvement using that setting
-
Try to add this manually in the system -> tunables
kern.ipc.somaxconn = 32768
And test again. We have seen some improvement using that setting
Was the improvement seen during a TCP or UDP DDoS?
-
Test using TCP scripts.
-
@KOM:
It's like saying there is no point to lock your door because bank are robbed ?
No, I'm saying that the strongest door you can find will happily collapse when it's being pounded on by a tank.
If what Supermule is saying is correct, 70-80 Mbps is no tank. It's like a spit wad pea shooter.
If pfSense really can be taken down by that, that is a huge serious issue.
Its in the OS. Hardware can easily handle it if you got some muscle.
I can take this site offline using a specific type of traffic that takes no more than 70-80Mbps bandwith.
When that traffic hits pfSense, its dead. Goes offline instantly. No matter how powerful the hardware is.
I run 8 Core, 16GB ram and SSD. Dead in a second if it hits.
-
It is. And we have contacted the dev. team but no replies at all from Chris on this issue. (2-3 mths).
-
You mentioned Windows weathers it better. What about something like a Cisco ASA?
-
We havent had the pleasure of having one available to test.
-
Christ, we are back to this "oooooooh I've got a supersecret attack to instacrash pfSense" noise again?
-
If what Supermule is saying is correct, 70-80 Mbps is no tank. It's like a spit wad pea shooter.
Well, it really depends on what you have. 70-80 Mbps wouldn't take down my corporate link, but it would totally hammer the links of many smaller companies I know.
If pfSense really can be taken down by that, that is a huge serious issue.
Agreed. However, I will reserve judgement until I see more than hand-waving.
-
Send me an IP address to test….
Then I will surprise you.
-
@KOM:
Well, it really depends on what you have. 70-80 Mbps wouldn't take down my corporate link, but it would totally hammer the links of many smaller companies I know.
This is not about taking down the "link" (filling the pipe). It is about taking down pfSense. In which case the link (pipe) may as well be down. The point that is being put forth is that it doesn't matter that you have gigabit + pipe when it only takes about 70-80 Mbps to take down pfSense. Rendering the pipe useless.
@KOM:
I will reserve judgement until I see more than hand-waving.
Supermule has made the offer to prove it. What are you waiting for? Accept the challenge.
Supermule has made the offer to prove this several times in this thread. Would someone please take the challenge. I would but don't have 70-80 Mbps of bandwidth.
-
What are you waiting for? Accept the challenge.
I already did and didn't see what he was talking about. He blasted me with a sustained 90 Mbps, my link max. Our access was slow and I was getting service alarms from our external sensors, but pfSense was responsive. I didn't see anything that I wouldn't already expect to see while under DoS. He wanted to try another test where he blasts a port-forwarded server but I didn't have time or patience today for that.
-
From the outside, his link was taken down immediately and it didnt respond to ping at all.
And that was on a pfsense that had NO port forwards set.
If it had a server behind and actually trying to route it, then his GUI would be hit as well.
-
But why would the GUI be slow? While under full load, my CPU never rose above a few percent. Minor disk activity.
I do think it would be nice for someone official to chime in either way.
-
Exactly. It doesnt but it takes you offline even if it shouldnt…. but wait until you actually have a route to a server.
Then the load will be very visible in the GUI. Even if very few states and not much load is on the system.
You will see it in traffic graphs among other things, that they dont update as it should. There could be as much as 10 seconds between the graph update when hit.
-
It doesnt but it takes you offline even if it shouldnt….
Maybe I'm misunderstanding something, but yes, I do fully expect to be blown off the network if you flood my WAN. That's a DoS by definition, is it not?
-
@KOM:
It doesnt but it takes you offline even if it shouldnt….
Maybe I'm misunderstanding something, but yes, I do fully expect to be blown off the network if you flood my WAN. That's a DoS by definition, is it not?
I think the point here is that if pfSense can be knocked off with as little as 70-80 mbps, a gigabit pipe doesn't need to be flooded. It's not about flooding the pipe.
Maybe not a problem for those with less bandwidth. But for those with huge pipe, gigabit or more even, it would make it very easy for an attack to knock them offline with as little as 70-80 mbps. No where near saturating at gigabit pipe. Easy prey for an attacker. Wouldn't even have to allocate much resources.
Yes it would be nice to hear from someone official. If they where informed of this 2 to 3 months ago, and not responded, why do you supposed that would be.
-
They were. CMB promised to get back to us but havent.
-
I'm not sure what you expect man… A daily post from CMB saying he hasn't solved your issue yet?
-
No….but maybe some updates to what they find or not find??
Maybe hints to what could be done to minimize impact by adding things to system -> tunables??