Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    What is the biggest attack in GBPS you stopped

    Scheduled Pinned Locked Moved General pfSense Questions
    737 Posts 33 Posters 600.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      ledj
      last edited by

      Reading this thread with interest.

      I might be interested in participating in testing of pfsense. I've set up a pfsense which should replace our existing firewall (shorewall/iptables on linux).

      We have the 2 firewalls (existing and a new pfsense) on the same pipe running 1 gbit which is also used for productions system (so a minimal test in regards to time span would be OK in the middle of the night… timezone gmt+2 since we have to announce this to our customers, probably your daytime :) ...)

      A few questions:

      From where does the simulated attack origin ?

      Is it special crafted UDP traffic ? (low and slow attack ?)

      Will the simulated attack influence our primary linux firewall ? (I guess not since it's not using full pipe)

      What is your settings for timeouts etc. in pfsense ? (the things cmb pointed out, our linux firewall is tuned for this after some annoying floods, but I'm new to pfsense so good to know recommended settings... also it's not easy to migrate settings when things are named differently... but could read up on this... though it's faster to have recommended settings, but maybe there isn't any recommended settings yet ?)

      The pfsense is on a hardware server with http://ark.intel.com/products/75779/Intel-Xeon-Processor-E5-1620-v2-10M-Cache-3_70-GHz and 32gb ram, so no VM.

      1 Reply Last reply Reply Quote 0
      • S
        Supermule Banned
        last edited by

        From everywhere… using spoofed IP's.

        No. It can be tailored to use special crafted packages.

        Depending on the packet load of the pipe, it can be.

        I have time tonight at 10PM CET.

        Send me a port and IP to test. Make sure it responds to ICMP on WAN so I can monitor the response from here and test various setups regarding the attack.

        It will take 2-10 mins depending on response from the ICMP. If no response at all on PING then its a quick test, if normal reply attack will change using different approach until pfsense doesnt respond.

        1 Reply Last reply Reply Quote 0
        • S
          Supermule Banned
          last edited by

          I guess no test tonight….

          1 Reply Last reply Reply Quote 0
          • L
            ledj
            last edited by

            Sorry, have kids who wouldn't sleep.

            I'll send you IP on PM if you still have time…

            1 Reply Last reply Reply Quote 0
            • L
              ledj
              last edited by

              Send a message through the system, but can't see a sent message… did you get it ?

              1 Reply Last reply Reply Quote 0
              • S
                Supermule Banned
                last edited by

                Just a short notice on the matter.

                Even after the 2.2.2 upgrade the GUI itself stille becomes useless during a SYN flood.

                http://youtu.be/Jji4lW8gW1c

                It even records packet loss to the LAN side and response times gets 10 times longer. Traffic graphs doesnt update at all and the worst part is the amount of traffic coming in.

                15mbps…. States running around 150K out of 8MM. No real load on the server itself, but pf is dead. If the attack gets a little bigger (around 40mbps) then it goes offline completely and doesnt handle traffic at all.

                1 Reply Last reply Reply Quote 0
                • S
                  Supermule Banned
                  last edited by

                  Testing again this time stateless.

                  http://youtu.be/CGDo9pAQDlo

                  It completely downs pfSense and render the GUI useless/unresponsive.

                  1 Reply Last reply Reply Quote 0
                  • N
                    Nullity
                    last edited by

                    Have you tested FreeBSD and/or OpenBSD?

                    Please correct any obvious misinformation in my posts.
                    -Not a professional; an arrogant ignoramous.

                    1 Reply Last reply Reply Quote 0
                    • S
                      Supermule Banned
                      last edited by

                      FreeBSD yes, OpenBSD no.

                      1 Reply Last reply Reply Quote 0
                      • D
                        doktornotor Banned
                        last edited by

                        @Supermule:

                        but pf is dead. … goes offline completely and doesnt handle traffic at all. ... It completely downs pfSense and render the GUI useless/unresponsive.

                        1 Reply Last reply Reply Quote 0
                        • G
                          gadnet
                          last edited by

                          no good news on the horizon then :(

                          1 Reply Last reply Reply Quote 0
                          • S
                            Supermule Banned
                            last edited by

                            Do you have a fix for this? Any ideas Doktor??

                            1 Reply Last reply Reply Quote 0
                            • D
                              doktornotor Banned
                              last edited by

                              No, I have no fix for your top secret instant DoS. You know what? Either do a proper full disclosure or go away. Tired of reading this useless "PM me and I'll DoS you" crap for months.

                              1 Reply Last reply Reply Quote 0
                              • S
                                Supermule Banned
                                last edited by

                                Do you actually think that by going public with a script that can down any pfsense installation with a bandwith usage of 40mbps would be a wise idea??

                                What the hell is wrong with you?

                                1 Reply Last reply Reply Quote 0
                                • D
                                  doktornotor Banned
                                  last edited by

                                  With me? This "PM to get DoS-ed" BS is not how you get things fixed… Either work with those concerned (that includes FreeBSD upstream), or just publish it. Seriously noone is interested in crappy Youtube videos of unresponsive GUI.

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    Supermule Banned
                                    last edited by

                                    But we want to test things and actually have something to point out before we introduce the world.

                                    We want to see if others are affected and sees the same as we do.

                                    Then we did write to ESF and told them there was a huge problem.

                                    Not much has come back…

                                    We upgrade and harden the damn thing to get a clue of whats actually going on when it hits and WHY 15mbps downs the thing!

                                    I would love to open a redmine ticket for this, but I havent got a clue of which direction to point people in...!

                                    So cut the crap and help if you can. Otherwise STFU.

                                    1 Reply Last reply Reply Quote 0
                                    • D
                                      doktornotor Banned
                                      last edited by

                                      Who the hell is "we"? I for sure don't want to see any Youtube "tests". Reminds me of the endless crappy antivirus "reviews" done on Youtube in a VM. If all you wrote to someone was "Hey, there's a huge problem, PM me and I'll DoS you", there's no surprise not much came back. You need to provide a testcase to reproduce the thing. Not this nonsense.

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        Supermule Banned
                                        last edited by

                                        Lowprofile is also in this test scenario.

                                        He has the email conversation with ESF.

                                        1 Reply Last reply Reply Quote 0
                                        • G
                                          gadnet
                                          last edited by

                                          If responsable disclosure has been done and no suitable answer is given sometimes full disclosure is the way to go.

                                          In any way the bad guys are probably allready aware of the details so it will not hurt so much and help the community to find solutions if there is one, and if not, then be aware seems better than beleiving we are safe.

                                          Of course this is my way of seeing things. Not using pfsense on professional things i use it only for now on personal adsl lines . Also if this is a FreeBSD issue and not a pfsense only thing trying to reach the bds guys could be the solution.

                                          1 Reply Last reply Reply Quote 0
                                          • F
                                            firewalluser
                                            last edited by

                                            @Supermule:

                                            Its in the OS. Hardware can easily handle it if you got some muscle.

                                            I can take this site offline using a specific type of traffic that takes no more than 70-80Mbps bandwith.

                                            When that traffic hits pfSense, its dead. Goes offline instantly. No matter how powerful the hardware is.

                                            I run 8 Core, 16GB ram and SSD. Dead in a second if it hits.

                                            Exploiting the multithreading capabilities perhaps?

                                            Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                                            Asch Conformity, mainly the blind leading the blind.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.