What is the biggest attack in GBPS you stopped
-
Exactly.
Nice thread but also some overkill statements from people :D
- I was one of the first to locate this issue, and since last i've been much more experienced and today having an almost bulletproof setup regarding SYN flood.
Too much custom work to make a how-to guide at this moment, but looking forward to see the new corrections in 2.2.2
Will make some test in upcoming weeks.
I'm under the impression that a similar issue can be triggered by UDP, not just TCP. I think SuperMule showed many out of state UDP packets from many IP+port combos can trigger issues without consuming all of the bandwidth.
- I was one of the first to locate this issue, and since last i've been much more experienced and today having an almost bulletproof setup regarding SYN flood.
-
If UDP can cause it, I wonder if ICMP can also cause it, heck, even a custom protocol. what I'm getting at is I wonder if it's an issue with the firewall and IP, when lots of different IPs are getting blocked.
-
Reading this thread with interest.
I might be interested in participating in testing of pfsense. I've set up a pfsense which should replace our existing firewall (shorewall/iptables on linux).
We have the 2 firewalls (existing and a new pfsense) on the same pipe running 1 gbit which is also used for productions system (so a minimal test in regards to time span would be OK in the middle of the night… timezone gmt+2 since we have to announce this to our customers, probably your daytime :) ...)
A few questions:
From where does the simulated attack origin ?
Is it special crafted UDP traffic ? (low and slow attack ?)
Will the simulated attack influence our primary linux firewall ? (I guess not since it's not using full pipe)
What is your settings for timeouts etc. in pfsense ? (the things cmb pointed out, our linux firewall is tuned for this after some annoying floods, but I'm new to pfsense so good to know recommended settings... also it's not easy to migrate settings when things are named differently... but could read up on this... though it's faster to have recommended settings, but maybe there isn't any recommended settings yet ?)
The pfsense is on a hardware server with http://ark.intel.com/products/75779/Intel-Xeon-Processor-E5-1620-v2-10M-Cache-3_70-GHz and 32gb ram, so no VM.
-
From everywhere… using spoofed IP's.
No. It can be tailored to use special crafted packages.
Depending on the packet load of the pipe, it can be.
I have time tonight at 10PM CET.
Send me a port and IP to test. Make sure it responds to ICMP on WAN so I can monitor the response from here and test various setups regarding the attack.
It will take 2-10 mins depending on response from the ICMP. If no response at all on PING then its a quick test, if normal reply attack will change using different approach until pfsense doesnt respond.
-
I guess no test tonight….
-
Sorry, have kids who wouldn't sleep.
I'll send you IP on PM if you still have time…
-
Send a message through the system, but can't see a sent message… did you get it ?
-
Just a short notice on the matter.
Even after the 2.2.2 upgrade the GUI itself stille becomes useless during a SYN flood.
http://youtu.be/Jji4lW8gW1c
It even records packet loss to the LAN side and response times gets 10 times longer. Traffic graphs doesnt update at all and the worst part is the amount of traffic coming in.
15mbps…. States running around 150K out of 8MM. No real load on the server itself, but pf is dead. If the attack gets a little bigger (around 40mbps) then it goes offline completely and doesnt handle traffic at all.
-
Testing again this time stateless.
http://youtu.be/CGDo9pAQDlo
It completely downs pfSense and render the GUI useless/unresponsive.
-
Have you tested FreeBSD and/or OpenBSD?
-
FreeBSD yes, OpenBSD no.
-
but pf is dead. … goes offline completely and doesnt handle traffic at all. ... It completely downs pfSense and render the GUI useless/unresponsive.
-
no good news on the horizon then :(
-
Do you have a fix for this? Any ideas Doktor??
-
No, I have no fix for your top secret instant DoS. You know what? Either do a proper full disclosure or go away. Tired of reading this useless "PM me and I'll DoS you" crap for months.
-
Do you actually think that by going public with a script that can down any pfsense installation with a bandwith usage of 40mbps would be a wise idea??
What the hell is wrong with you?
-
With me? This "PM to get DoS-ed" BS is not how you get things fixed… Either work with those concerned (that includes FreeBSD upstream), or just publish it. Seriously noone is interested in crappy Youtube videos of unresponsive GUI.
-
But we want to test things and actually have something to point out before we introduce the world.
We want to see if others are affected and sees the same as we do.
Then we did write to ESF and told them there was a huge problem.
Not much has come back…
We upgrade and harden the damn thing to get a clue of whats actually going on when it hits and WHY 15mbps downs the thing!
I would love to open a redmine ticket for this, but I havent got a clue of which direction to point people in...!
So cut the crap and help if you can. Otherwise STFU.
-
Who the hell is "we"? I for sure don't want to see any Youtube "tests". Reminds me of the endless crappy antivirus "reviews" done on Youtube in a VM. If all you wrote to someone was "Hey, there's a huge problem, PM me and I'll DoS you", there's no surprise not much came back. You need to provide a testcase to reproduce the thing. Not this nonsense.
-
Lowprofile is also in this test scenario.
He has the email conversation with ESF.