What is the biggest attack in GBPS you stopped
-
Send me an IP address to test….
Then I will surprise you.
-
@KOM:
Well, it really depends on what you have. 70-80 Mbps wouldn't take down my corporate link, but it would totally hammer the links of many smaller companies I know.
This is not about taking down the "link" (filling the pipe). It is about taking down pfSense. In which case the link (pipe) may as well be down. The point that is being put forth is that it doesn't matter that you have gigabit + pipe when it only takes about 70-80 Mbps to take down pfSense. Rendering the pipe useless.
@KOM:
I will reserve judgement until I see more than hand-waving.
Supermule has made the offer to prove it. What are you waiting for? Accept the challenge.
Supermule has made the offer to prove this several times in this thread. Would someone please take the challenge. I would but don't have 70-80 Mbps of bandwidth.
-
What are you waiting for? Accept the challenge.
I already did and didn't see what he was talking about. He blasted me with a sustained 90 Mbps, my link max. Our access was slow and I was getting service alarms from our external sensors, but pfSense was responsive. I didn't see anything that I wouldn't already expect to see while under DoS. He wanted to try another test where he blasts a port-forwarded server but I didn't have time or patience today for that.
-
From the outside, his link was taken down immediately and it didnt respond to ping at all.
And that was on a pfsense that had NO port forwards set.
If it had a server behind and actually trying to route it, then his GUI would be hit as well.
-
But why would the GUI be slow? While under full load, my CPU never rose above a few percent. Minor disk activity.
I do think it would be nice for someone official to chime in either way.
-
Exactly. It doesnt but it takes you offline even if it shouldnt…. but wait until you actually have a route to a server.
Then the load will be very visible in the GUI. Even if very few states and not much load is on the system.
You will see it in traffic graphs among other things, that they dont update as it should. There could be as much as 10 seconds between the graph update when hit.
-
It doesnt but it takes you offline even if it shouldnt….
Maybe I'm misunderstanding something, but yes, I do fully expect to be blown off the network if you flood my WAN. That's a DoS by definition, is it not?
-
@KOM:
It doesnt but it takes you offline even if it shouldnt….
Maybe I'm misunderstanding something, but yes, I do fully expect to be blown off the network if you flood my WAN. That's a DoS by definition, is it not?
I think the point here is that if pfSense can be knocked off with as little as 70-80 mbps, a gigabit pipe doesn't need to be flooded. It's not about flooding the pipe.
Maybe not a problem for those with less bandwidth. But for those with huge pipe, gigabit or more even, it would make it very easy for an attack to knock them offline with as little as 70-80 mbps. No where near saturating at gigabit pipe. Easy prey for an attacker. Wouldn't even have to allocate much resources.
Yes it would be nice to hear from someone official. If they where informed of this 2 to 3 months ago, and not responded, why do you supposed that would be.
-
They were. CMB promised to get back to us but havent.
-
I'm not sure what you expect man… A daily post from CMB saying he hasn't solved your issue yet?
-
No….but maybe some updates to what they find or not find??
Maybe hints to what could be done to minimize impact by adding things to system -> tunables??
-
My impression thus far is there is nothing they have been able to figure out because its a OS issue. I know they talked abit about it and posted about it in the past after someone took down their store website especially. I wouldn't expect a whole bunch of talk from them until they figure it out which will probably happen when the OS gets patched. Thats my guess.
Generally speaking though, I think you want a specialized DDOS prevention service between your routers and the internet.
Be careful with that too. A couple days ago our DDOS protection got mysteriously hyper-sensitive and started blocking most everything!
-
@KOM:
What are you waiting for? Accept the challenge.
I already did and didn't see what he was talking about. He blasted me with a sustained 90 Mbps, my link max. Our access was slow and I was getting service alarms from our external sensors, but pfSense was responsive. I didn't see anything that I wouldn't already expect to see while under DoS. He wanted to try another test where he blasts a port-forwarded server but I didn't have time or patience today for that.
Ahh, some new info that I haven't heard of until now. In the youtube videos of his own machine, small amounts of bandwidth was doing a lot more than just reducing bandwidth. But against your box, assuming the same attack, it didn't do much of anything than just eat some bandwidth.
I wouldn't mind participating in being a guinea pig for a short bit. I would like to see if any value below 95Mb can render by 100Mb connection dead.
-
Send me a PM :)
-
I just suddenly thought it would be funny if the issue was the logging caused by the default block rules was spamming his log and hanging the system, with the abrupt swings caused by the system attempting to make room in the log.
I think we covered this at one point, but I'm in a daze from lack of sleep and a busy week…. And Monday is tomorrow.. uhggg.
-
supermule ran the test on me and my wife got angry, I was having fun.
It started off like this, about 70Mb/s of traffic coming in and my WAN dropped out
After a tens more seconds, it got worse
Overall CPU usage seems low during this time, but part way through, really really bad things started to happen. I could not even talk to my admin interface.
This was all during the sub max bandwidth test of around 70Mb or less.
Eventually it transitioned into a bandwidth DDOS which maxed out my connection. PFSense started to respond again, but the Internet was mostly dead as expected when you have no bandwidth
The first quite of tests were the worst. The low bandwidth test made the entire PFSense box unresponsive
During the first tests, when PFSense was responding, it claimed CPU usage was low and System Activity looked normal.
During the high bandwidth test, CPU usage was high, but at-least PFSense was responding correctly.
-
Your box died using specific low bandwith scripts as predicted. Low bandwith script not using your CPU either.
You box got more responsive using SSYN but using larger packet size. 100mbit traffic….
-
I noticed the dashboard didn't show "70Mb" anywhere, but I did see it on the Traffic Graph which I should have kept. You can see the first spike of blocked traffic being around 70Mb. I had to reboot to get RRD sampling again, the service seems to have stopped working, but I think that has been discussed elsewhere and maybe even fixed in 2.2.1.
-
Another thing is that you can monitor your realtime traffic graph updating every second, get slow and starting to update maybe every 10 seconds or so…
-
Very interesting. Now you have my attention.