Gateway crashed after states limit reached

GlooM_14

Greetings to all!

Today I tested one of our servers (in the external network) for overload, simulating DDoS.
To simulate DDoS, I used the utility hping3 that was launched on one of the computers inside the local network. The network gateway between the local network and the Internet is a virtual machine with pfSense (2.7.2-RELEASE (amd64). Resources allocated to the machine are 4 CPU cores and 8 gigabytes of RAM.

The utility was launched with the following parameters:
hping3 -S -p 443 --flood --rand-source <IP of target> -I ens192 -c 50

After several launches of the utility, the gateway crashed.

Oct 1 14:57:14 kernel [zone: pf states] PF states limit reached
Oct 1 15:00:04 syslogd kernel boot file is /boot/kernel/kernel
Oct 1 15:00:04 kernel kernel trap 12 with interrupts disabled
Oct 1 15:00:04 kernel Fatal trap 12: page fault while in kernel mode
Oct 1 15:00:04 kernel cpuid = 2; apic id = 04
Oct 1 15:00:04 kernel fault virtual address = 0x20
Oct 1 15:00:04 kernel fault code = supervisor read data, page not present
Oct 1 15:00:04 kernel instruction pointer = 0x20:0xffffffff80d4cef0
Oct 1 15:00:04 kernel stack pointer = 0x0:0xfffffe00840744c0
Oct 1 15:00:04 kernel frame pointer = 0x0:0xfffffe00840744d0
Oct 1 15:00:04 kernel code segment = base 0x0, limit 0xfffff, type 0x1b
Oct 1 15:00:04 kernel = DPL 0, pres 1, long 1, def32 0, gran 1
Oct 1 15:00:04 kernel processor eflags = resume, IOPL = 0
Oct 1 15:00:04 kernel current process = 12 (swi1: netisr 0)
Oct 1 15:00:04 kernel rdi: 0000000000000000 rsi: 0000000000000000 rdx: fffffe0083e2b560
Oct 1 15:00:04 kernel rcx: fffffe0083e2b560 r8: fffffe0083e2ba80 r9: fffffe0084075000
Oct 1 15:00:04 kernel rax: 0000000000000000 rbx: 0000000000000000 rbp: fffffe00840744d0
Oct 1 15:00:04 kernel r10: 00000000000001f4 r11: 00000000fe0fa722 r12: 0000000000000000
Oct 1 15:00:04 kernel r13: 0000000000002ee4 r14: 0000000000000000 r15: fffffe0083e2b560
Oct 1 15:00:04 kernel trap number = 12
Oct 1 15:00:04 kernel panic: page fault
Oct 1 15:00:04 kernel cpuid = 2
Oct 1 15:00:04 kernel time = 1727783943
Oct 1 15:00:04 kernel KDB: enter: panic
Oct 1 15:00:04 kernel Uptime: 244d19h2m41s

The attached screenshot shows two time points - 14:26 (normal state) and 14:58 (before the crash)
The maximum number of filter states is left at the default value of 813000. As I understand it, the state table overflowed. But shouldn't the table just reset? Why did the gateway crash and completely reboot?

It turns out that any user of a local network can use such a utility to kill the gateway at any time? Tell me, is it possible to protect gateway from such crashes with any settings?

stephenw10

Hmm, well that shouldn't happen!

You have to run the command several times in parallel? Or you ran it, quit, reran it etc?

That fills the state table very quickly for me with one process but doesn't crash it. I simply see logged:

Oct 1 21:14:47 	kernel 		TCP syncache overflow detected; using syncookies for the next 15 seconds
Oct 1 21:16:01 	kernel 		[zone: pf states] PF states limit reached 

The firewall stops responding during the flood and the gateway throws some errors because the pings fail.

That's a smaller device also running 2.7.2.

Steve