DDoS pfSense dies on XSYN and OVH scripts.
-
According to Supermule, UDP does the same thing, even if the packets are being dropped.
I can't confirm it, it may be a combination of UDP/SYN. I will try it in next few days.
-
What is UDP/SYN? :-)
-
When a UDP packet touches itself, it becomes SYNful and your firewall crashes.
-
There is nothing wrong with a UDP packet touching itself.
Keep your religion out of your network, and you'll be just fine.
-
First of all, nice to see some progress. :)
You'll find you get a better, (less hostile) response if you don't bait me into answering.
Just to be clear, after more than 50-60 hours of sever testing of these type of attacks, i can conclude that "OVH" ESSYN, SYN ACK, SYN FLOOD all appears to be some kind of SYN attacks. Some are simple SYN ACKs, others are special attacks. These scripts are getting quite normal on the internet, since they are available to take down with no bandwidth. The trend with BIG high volume attacks are no more interesting, since these are much cheaper and much more effective and easy to bypass by ddos'ers.
And they've been part of the Internet for a long, long time. They're not even very sophisticated.
Anyway, the script which was provided earlier was just 1 out of 100 available on the internet. They are getting better and more efficient , why this area need more attention from pfsense team.
First, it's not a script, it's C source code that needs fixing to even compile.
Second, I don't care if it's one of 100 available. I don't go looking for this kind of tripe. If I need something like this (for testing), I, or one of the other people here can write one in an afternoon. I won't have the "too cool" Matrix quote on it, but otherwise it will be a much better programming example.
I'm glad that there is a focus on it now, and i am excited to test any "patches" or good advice' to prevent such attacks.
I also testet with pfsense 2.2 which didn't show any progress. Freebsd 10.1 was handling it better,If "FreeBSD 10.1 was handling it better', then your test was faulty, perhaps only in that you didn't duplicate the semantics of the ruleset, but it's not like that part of pfSense 2.2 is significantly different than FreeBSD 10.1.
but if you tune pfsense with some parametres and set some limits you almost can prevent 85% of SYN attacks.
The most telling thing here is that you haven't actually documented any of your "tuning" or "limits".
There were though some special attacks which still took it down (SYN also), i can try find the source code of it and send it, this time to the team directly, instead of Chris. ;)
Sure.
@gonzopancho:
We've found that if you add set timeout tcp.first 5 to pf.conf, then the 'attack' won't render a C2758 attached via 10G interfaces useless. Without same, the C2758 becomes all but wedged in a matter of seconds.
Since adding this timeout to the pf.conf by hand won't survive even a rule change (never mind a reboot), I'm going to have people here add code to the 'Advanced' tab (under Firewalling/Rules) to enable same. People who really want the change before we get 2.2.1 released can gitsync the code onto their box.
That sounds so great! I will test it! Let us know when it is available to gitsync it.
You could test things by hand. I've already given you the line to add to pf.conf (likely /tmp/rules.debug, but you'll have to know how to reload the ruleset from the command line. Since you're already familiar with FreeBSD 10.1, you presumably know how to do this.
@gonzopancho:
…. Chris is complaining that lowprofile isn't responding to repeated requests for more information. All I can say here is that you're in a difficult position if you claim that we're being non-responsive when we're trying to gather more information.
Not 100% correct, i am though not here to discuss this. Leave it as it is :)
Cheers!
-
@gonzopancho:
What is UDP/SYN? :-)
I read it as a question about bandwidth or SYN attack, hence my answer.
I dont even bother to reply your negative posts. We came up with an issue which needed to be enlightened. We did, and you found a "fix". = Good for everyone.
The sourcecode was provided by me anyway (found on the internet), i do know it is used by those scripts etc. No need for "nitpicking" each and every word.
Now relax and go out and enjoy your life, instead of filling this forum with your negative attitude, all the way ;) -
2.2 has the same issues and chokes the same way.
Lowprofile has setup both versions and there was no difference.
@gonzopancho:
This picture shows it all…
The picture shows that you are running 2.1.5. 2.2 will have a much better chance of standing up to the traffic you're seeing (testing?)
-
so, out of curiosity, is this fixed in 2.2.1?
-
-
Hi,
Anyone managed to find a workaround to this issue ?
EA.