Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    What is the biggest attack in GBPS you stopped

    Scheduled Pinned Locked Moved General pfSense Questions
    737 Posts 33 Posters 678.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lowprofile
      last edited by

      My last test with 2.2.2 was a big failure. Right now i am struggling to get pfsense stable (2.2.2)
      But i did a test and it was not impressive. A standard configuration. After adjusting it was still not good enough at all. So now i will go trough all tweak and tuning again in 2.2.2…. re-google and start all over. the syn proxy feature should easily had solved this issue, but i will make further test and return. I tried with a general SYN proxy rule. I locked my self out from gui... no response, then tried again since it was replying ICMP request, but no difference. The SYN proxy feature should had handled this issue, but it is not working as it should. Same behaviour.

      Read this as well as i think some settings here would help. http://people.freebsd.org/~jlemon/papers/syncache.pdf
      I will return after some test.

      It would be nice if you could set a treshold for SYN proxy in general. e.x 100 half open connection pr. ip would trigger SYNproxy to be enabled....

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        @lowprofile:

        My last test with 2.2.2 was a big failure. Right now i am struggling to get pfsense stable (2.2.2)

        Which test was that you were running? I have the traffic saved with the name of the test if it was one of the same named ones.

        I keep asking for pcaps and have gotten only what lowprofile helped me get. Supermule, anyone else, save the attack traffic to a pcap and put it somewhere I can download.

        Run something like the following:

        tcpdump -i em0 -s 0 -w ddos1.pcap 
        

        Where em0 is the source interface of the traffic. Replicate what you're seeing, then ctrl-c to break out of the tcpdump. SCP the file off and get it to me. Try not to make it too absurdly large, but a few GB is fine.

        1 Reply Last reply Reply Quote 0
        • S
          Supermule Banned
          last edited by

          Packet capture crashed and I have filed a crash report on the subject.

          EDIT: Managed getting it going. Get the capture here:

          http://bruksparken.com/log/files/packetcapture.zip

          1 Reply Last reply Reply Quote 0
          • F
            firewalluser
            last edited by

            @cmb:

            @firewalluser:

            Have you considered that CMB is now under contract and cant disclose? This was something disclosed by Snowden, some individuals were forced/required to form a legal entity under guidance of the NSA.

            And now we're into conspiracy theories. No, that's not the case.

            @firewalluser:

            Put another way it would seem pfsense can hang windows and linux machines sat behind them.

            You're passing enough attack traffic through to hang Windows and Linux in that case.

            I'm sure you are familiar with the wide ranging contracts that exist in the world today beit Non Disclosure Agreements, or even the more common non compete agreements as exampled here: http://pando.com/2014/03/22/revealed-apple-and-googles-wage-fixing-cartel-involved-dozens-more-companies-over-one-million-employees/
            http://www.businessinsider.com/emails-eric-schmidt-sergey-brin-hiring-apple-2014-3?IR=T
            http://venturebeat.com/2014/05/23/4-tech-companies-are-paying-a-325m-fine-for-their-illegal-non-compete-pact/

            Put simply, you are not in a position to prove your innocence, because

            1. To adhere to the terms of any NDA contract you may have been forced/coerced to sign would mean any disclosure would render you in breach of your contract and liable to whatever penalties may have been included in any agreement and who in their "right" mind would put themselves at a disadvantage?

            2. Even if you have not signed any NDA contract you still cant prove your innocence, ergo the spooks & govt(s) still win, its classic divide and conquer techniques, which then begs the question why trust military & govt(s) or banks who carry out activities in secret?

            What I can say is trust can take ages to build up, but can be destroyed in seconds.

            On the point of passing enough traffic through pfsense, this has happened with less than 1mbits of traffic, a simple web page loading can trigger the OS cores to hang. Volume is irrelevant in the example I mention, but in relation to this thread and amounts of data, I wondered two things, exploiting the CPU designs namely cache and/or something network related as also mentioned by Kom here
            https://forum.pfsense.org/index.php?topic=91856.msg517296#msg517296

            I'm inclined at this stage to err towards something nic related but I will examine the zip posted by supermule to see if I can see anything untoward, but this could be a variation on the heap spraying exploit http://en.wikipedia.org/wiki/Heap_spraying

            I wonder if those affected are running snort and if so do the problems still exist, assuming snort is already aware of the problem much like AV software need to have found a virus before it can protect against it?

            All of the above is said with the best of intentions and for it to be educational to those who might not be aware of the deceit and duplicity in the world today.

            Edit.

            Has anyone tried an earlier version of pfsense like a 1.x version by any chance? ;)

            Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

            Asch Conformity, mainly the blind leading the blind.

            1 Reply Last reply Reply Quote 0
            • S
              Supermule Banned
              last edited by

              M0n0wall suffers the same.

              I am running Snort.

              I can easily test without it. 2mins.

              1 Reply Last reply Reply Quote 0
              • S
                Supermule Banned
                last edited by

                Download it here.

                No Snort running, but same behaviour.

                http://bruksparken.com/log/files/packetcapture_no_snort.zip

                1 Reply Last reply Reply Quote 0
                • F
                  firewalluser
                  last edited by

                  How about an earlier version of pfsense which will have an earlier version of freebsd in as its looking like a OS issue at this stage provided your nic(s) is/are supported in the earlier version of freebsd?

                  http://files.uk.pfsense.org/mirror/downloads/old/

                  Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                  Asch Conformity, mainly the blind leading the blind.

                  1 Reply Last reply Reply Quote 0
                  • S
                    Supermule Banned
                    last edited by

                    Havent tested below 2.0.3

                    1 Reply Last reply Reply Quote 0
                    • F
                      firewalluser
                      last edited by

                      Might be worth trying a 1.x version then as its a process of elimination.

                      Once/If a version is found that is resiliant to this problem then its a case of finding the differences which between the version that works and the next incremental version that doesnt work.

                      Not hard to do but will involve a little time when using a text comparison/difference tool like this online example http://text-compare.com/ as both freebsd and pfsense are opensource. Harder to track down with black box software though.

                      fwiw.

                      Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                      Asch Conformity, mainly the blind leading the blind.

                      1 Reply Last reply Reply Quote 0
                      • S
                        Supermule Banned
                        last edited by

                        I might test OpnSense to see if it has the same issues…

                        1 Reply Last reply Reply Quote 0
                        • F
                          firewalluser
                          last edited by

                          Its a fork and like Kom I believe at this stage its a nic hook issue in the freebsd OS, hence my suggestion to go back to an earlier 1.x version of pfsense which runs an earlier version of freebsd, but feel free to still check out the fork for piece of mind.

                          Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                          Asch Conformity, mainly the blind leading the blind.

                          1 Reply Last reply Reply Quote 0
                          • S
                            Supermule Banned
                            last edited by

                            Cannot even install it neither in I386 or AMD64 :D

                            2.1.5 as I have running in the datacenters are much more resiliant to the SYN flood.

                            Attached a dump of system activity.

                            It doesnt get unresponsive at all and is contactable at all times.

                            Only thing hanging is routing to the servers behind takes forever.

                            2.1.5_activity.PNG
                            2.1.5_activity.PNG_thumb

                            1 Reply Last reply Reply Quote 0
                            • K
                              kroberts
                              last edited by

                              @firewalluser:

                              I'm sure you are familiar with the wide ranging contracts that exist in the world today beit Non Disclosure Agreements, or even the more common non compete agreements as exampled here: http://pando.com/2014/03/22/revealed-apple-and-googles-wage-fixing-cartel-involved-dozens-more-companies-over-one-million-employees/
                              http://www.businessinsider.com/emails-eric-schmidt-sergey-brin-hiring-apple-2014-3?IR=T
                              http://venturebeat.com/2014/05/23/4-tech-companies-are-paying-a-325m-fine-for-their-illegal-non-compete-pact/

                              Put simply, you are not in a position to prove your innocence, because

                              1. To adhere to the terms of any NDA contract you may have been forced/coerced to sign would mean any disclosure would render you in breach of your contract and liable to whatever penalties may have been included in any agreement and who in their "right" mind would put themselves at a disadvantage?

                              2. Even if you have not signed any NDA contract you still cant prove your innocence, ergo the spooks & govt(s) still win, its classic divide and conquer techniques, which then begs the question why trust military & govt(s) or banks who carry out activities in secret?

                              What I can say is trust can take ages to build up, but can be destroyed in seconds.

                              On the point of passing enough traffic through pfsense, this has happened with less than 1mbits of traffic, a simple web page loading can trigger the OS cores to hang. Volume is irrelevant in the example I mention, but in relation to this thread and amounts of data, I wondered two things, exploiting the CPU designs namely cache and/or something network related as also mentioned by Kom here
                              https://forum.pfsense.org/index.php?topic=91856.msg517296#msg517296

                              I'm inclined at this stage to err towards something nic related but I will examine the zip posted by supermule to see if I can see anything untoward, but this could be a variation on the heap spraying exploit http://en.wikipedia.org/wiki/Heap_spraying

                              I wonder if those affected are running snort and if so do the problems still exist, assuming snort is already aware of the problem much like AV software need to have found a virus before it can protect against it?

                              All of the above is said with the best of intentions and for it to be educational to those who might not be aware of the deceit and duplicity in the world today.

                              Edit.

                              Has anyone tried an earlier version of pfsense like a 1.x version by any chance? ;)

                              And likewise by your logic you can't prove you haven't signed a contract with some organization bent on sowing distrust in pfSense in general, or cmb specifically.  Your post here looks exactly like what I would expect such an attack to look like.  Don't bother denying it, you're obviously under and NDA or non-compete.

                              Conspiracy theories are great entertainment, but don't get carried away by it.

                              1 Reply Last reply Reply Quote 0
                              • S
                                Supermule Banned
                                last edited by

                                Can we pls. get back to fighting DoS here :D

                                instead of each other?

                                1 Reply Last reply Reply Quote 0
                                • M
                                  mer
                                  last edited by

                                  @Supermule:

                                  Cannot even install it neither in I386 or AMD64 :D

                                  2.1.5 as I have running in the datacenters are much more resiliant to the SYN flood.

                                  Attached a dump of system activity.

                                  It doesnt get unresponsive at all and is contactable at all times.

                                  Only thing hanging is routing to the servers behind takes forever.

                                  Is 2.1.5 running on the same version of FreeBSD as 2.2.2?  Basically, PF vs kernel area?

                                  1 Reply Last reply Reply Quote 0
                                  • H
                                    Harvy66
                                    last edited by

                                    2.1.x is 8.3 and 2.2.x is 10.1.x

                                    1 Reply Last reply Reply Quote 0
                                    • M
                                      mer
                                      last edited by

                                      @Harvy66:

                                      2.1.x is 8.3 and 2.2.x is 10.1.x

                                      Thanks.  So there may be changes in driver and stack code between 8.3 and 10 that would be "interesting".  I'm guessing also changes in FreeBSD PF code between the two also.

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        Supermule Banned
                                        last edited by

                                        Lowprofile saw the same pattern. Even 2.1.5 suffered in terms of routing but didnt have the same unresponsiveness as the 2.2.x branch in 10.1 compared to 8.3.

                                        If I do back to back testing on the systems then 2.1.5 fares much better than 2.2.2.

                                        Both with Snort running.

                                        1 Reply Last reply Reply Quote 0
                                        • H
                                          Harvy66
                                          last edited by

                                          2.2 is on 10.1, which means PF supports better threading. Maybe PF is able to consume more CPU in 2.2 than 2.1 or earlier because of this.

                                          1 Reply Last reply Reply Quote 0
                                          • S
                                            Supermule Banned
                                            last edited by

                                            But CPU load is not the issue??

                                            Unless it consumes the cache and cannot process the IO cue.

                                            But it should handle 3Gbyte/S no problem. So I dont understand why it should be CPU related at all.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.