What is the biggest attack in GBPS you stopped

Supermule · May 30, 2015, 10:42 PM

Its not Tim :D

I just want to know why it behaves like that. Currently bombing Anthonys provided IP. Hope he is stilla alive :D

tim.mcmanus · May 30, 2015, 10:53 PM

It's an absolute waste of time to do anything with snort. It's built on top of pfSense, which in turn is built on top of FreeBSD.

When you troubleshoot a web server, you usually start with trying to ping the server, check to see if the port is open, and then look at the applications built on top of it. Why on God's green earth would you even look at snort?

If you want to resolve the issue, if you truly want to resolve the issue, eliminate the mast basic layers before you go up to the applications. If' stopped engaging in this ruse because of the distractions.

I can almost guarantee that the issue is with the FreeBSD networking drivers. I haven't seen a thread created on their forums to address or resolve the issue. There's no more point to this thread other than being a distraction from methodically trying to identify the root cause.

torontob · May 31, 2015, 3:35 AM

From those of you who are testing with Supermule, may we please have a quick update of what is happening now and what stage the testing is? And what is your current standing in regards to this issue? (e.g. will it bring the world down or not?)

I have lost tract since page 20 of the thread…

Thanks for all the hard work everyone!

doktornotor · May 31, 2015, 4:18 AM

@torontob:

may we please have a quick update of what is happening now and what stage the testing is?

Enough videos produced to run a dedicated YT channel for clueless nerds…

@torontob:

And what is your current standing in regards to this issue? (e.g. will it bring the world down or not?)

Yeah, we are all doomed.

Supermule · May 31, 2015, 5:54 PM

Apparently not if you migrate to OPNsense…

I hate the GUI but it has no issues despite beeing a fork of pfsense.

http://youtu.be/98I7-UHvkPQ

Even with the stage table full it keeps routing and reply. Almost zero packetloss.

Harvy66 · May 31, 2015, 6:18 PM

I noticed the first test had about 30Mb in the first test and only 9Mb on the second, after you made the change for adaptive scaling. What this a DDOS syn attack or just a normal one?

Supermule · May 31, 2015, 6:30 PM

DDoS.

doktornotor · May 31, 2015, 8:28 PM

@Supermule:

Apparently not if you migrate to OPNsense…

Excellent. So, now this thread finally can be closed…

firewalluser · May 31, 2015, 9:58 PM

@doktornotor:

@Supermule:

Apparently not if you migrate to OPNsense…

Excellent. So, now this thread finally can be closed…

It doesnt help existing users of pfsense who dont want to waste time jumping ship to yet another product though.

I personally would like to get to the bottom of it otherwise why even have a firewall at all then other than it helps bad actors who might be in play in a variety of ways including misleading people on threads in security forums?

All or nothing.

almabes · Jun 1, 2015, 11:52 AM

Status update:

I am at a point where I need help. I am not a BSD or UNIX guru. I need help getting pf configured with a NAT behind it. I also have DTrace working, but need guidance with what to run to get it to capture useful data during an attack.

We tested base FreeBSD 10.1-RELEASE. No pf, no NAT, just open to the wild internet. Supermule's attacks would overwhelm my available bandwidth and the box would be unreachable. The instant they stopped, the box was back.

Then I tried to configure pf and screwed myself. I don't have console access to the bare metal FreeBSD box, while sitting on my couch. I'll fix it when I'm in the office today.

After screwing myself, I had yard work to get done before the rains that saturated Texas attempted to do the same to Georgia and deliver a repaired laptop to the owner of a barbecue restaurant.

Harvy66 · Jun 1, 2015, 12:31 PM

@almabes:

Supermule's attacks would overwhelm my available bandwidth and the box would be unreachable.

Orerwhelming bandwidth is the expected situation, we're concerned about overwhelming the CPU for a fairly high end CPU and a small amount of traffic.

almabes · Jun 1, 2015, 12:56 PM

From what I could see in top, the attack did not get anywhere near overwhelming a CPU on the bare metal box. Interrupts were fairly low, as well. Unfortunately, the circuit is only 20Mb, but the CPE is a Catalyst 3500 series L3 switch, unlike my home connection.

Then I screwed myself trying to activate pf.

The box is not exactly high end, but it's not a steaming pile of doggie doo with an OS either. It only has the one Intel em interface, not an not an Intel igb. I'm going to scrounge up another GigE NIC today to stick in it, among things I have to do to pay bills.

I'm trying to test methodically, one layer at a time.

Base FreeBSD 10.1-RELEASE. No pf, no NAT
Base FreeBSD 10.1-RELEASE. pf, no NAT
Base FreeBSD 10.1-RELEASE. pf, NAT no ports forwarded
Base FreeBSD 10.1-RELEASE. pf, NAT one port forwarded to box on LAN

and so on…

Supermule · Jun 1, 2015, 12:52 PM

The bandwith comsumed depends on the handling of the firewall…

It sounds odd, but its not a bandwith attack and the reply vs. no reply from the FW is the difference between 30mbit and 7-8mbit traffic.

Its hard to explain but when I see the traffic graphs its very different when the FW loses packets and when it survives.

firewalluser · Jun 1, 2015, 1:14 PM

@Harvy66:

@almabes:

Supermule's attacks would overwhelm my available bandwidth and the box would be unreachable.

Orerwhelming bandwidth is the expected situation, we're concerned about overwhelming the CPU for a fairly high end CPU and a small amount of traffic.

Exactly, its quite possible there might be too code expected to run when considering the workload Snort has to do when SM tested it with snort running.

Nothing can be done by a fw when the bandwith is tested to the max provided the fw can handle the bandwith in the first place which is going to be different due to different hw in use including differences in cpu's, bus speeds of the mb, nic's used etc etc. Thats a lot of variables to check.

Add in additional packages and services that its expected to run and before long you end up with something like a MS Small Business Server which is expected to handle quite alot of work on one box and then users wonder why networks grind to a halt when everyone logs in at the same time in the morning.

Supermule · Jun 1, 2015, 1:32 PM

Snort is not the issue since it didnt matter if it was there or not.

I wanted Snort on the testbox because its nice and I wanted to test it to see if it did somthing bad/good in regards to the overall load on the box.

When one core hits 100% its gone….

firewalluser · Jun 1, 2015, 3:29 PM

Well lots of possibilities but imo until we can get Dtrace working on a pfsense machine its going to be guess work for now.

Supermule · Jun 1, 2015, 5:36 PM

EDIT: Rant over…

firewalluser · Jun 1, 2015, 4:27 PM

Any reason why?

Perhaps they feel Dtrace is not the best tool for the job?
Maybe too busy in the short term?
Some other reason?

It still doesnt stop us from having a go though does it?

tim.mcmanus · Jun 1, 2015, 4:49 PM

@Supermule:

Yes and the dev's dont want to help at all.

Devs have helped.

almabes · Jun 1, 2015, 5:11 PM

@tim.mcmanus:

@Supermule:

Yes and the dev's dont want to help at all.

Devs have helped.

I agree with Tim, here. I started a conversation with the Devs last week. Not going into it completely on this thread though.
Long and the short of it was:

A) We have a mismatch of problem and solution (DoS attack and Stateful packet filtering device)
B) We need to recreate the problem on FreeBSD 10.1-RELEASE. (Something I am working on with Supermule)
C) DTrace will help locate the issue, and the quickest way to get it going is on a stock FreeBSD box.

The message from devs was also educational as to the architecture of BSD in general, and FreeBSD specifically.

When we isolate the issue, I will release documentation. Keep your pants on. If you can help with tracing or logging, or configuring pf then help me. It'll help the community get the desired results (pfSense more resistant to nefarious scripts) much quicker.