What is the biggest attack in GBPS you stopped
-
Have you tested FreeBSD and/or OpenBSD?
-
FreeBSD yes, OpenBSD no.
-
but pf is dead. … goes offline completely and doesnt handle traffic at all. ... It completely downs pfSense and render the GUI useless/unresponsive.
-
no good news on the horizon then :(
-
Do you have a fix for this? Any ideas Doktor??
-
No, I have no fix for your top secret instant DoS. You know what? Either do a proper full disclosure or go away. Tired of reading this useless "PM me and I'll DoS you" crap for months.
-
Do you actually think that by going public with a script that can down any pfsense installation with a bandwith usage of 40mbps would be a wise idea??
What the hell is wrong with you?
-
With me? This "PM to get DoS-ed" BS is not how you get things fixed… Either work with those concerned (that includes FreeBSD upstream), or just publish it. Seriously noone is interested in crappy Youtube videos of unresponsive GUI.
-
But we want to test things and actually have something to point out before we introduce the world.
We want to see if others are affected and sees the same as we do.
Then we did write to ESF and told them there was a huge problem.
Not much has come back…
We upgrade and harden the damn thing to get a clue of whats actually going on when it hits and WHY 15mbps downs the thing!
I would love to open a redmine ticket for this, but I havent got a clue of which direction to point people in...!
So cut the crap and help if you can. Otherwise STFU.
-
Who the hell is "we"? I for sure don't want to see any Youtube "tests". Reminds me of the endless crappy antivirus "reviews" done on Youtube in a VM. If all you wrote to someone was "Hey, there's a huge problem, PM me and I'll DoS you", there's no surprise not much came back. You need to provide a testcase to reproduce the thing. Not this nonsense.
-
Lowprofile is also in this test scenario.
He has the email conversation with ESF.
-
If responsable disclosure has been done and no suitable answer is given sometimes full disclosure is the way to go.
In any way the bad guys are probably allready aware of the details so it will not hurt so much and help the community to find solutions if there is one, and if not, then be aware seems better than beleiving we are safe.
Of course this is my way of seeing things. Not using pfsense on professional things i use it only for now on personal adsl lines . Also if this is a FreeBSD issue and not a pfsense only thing trying to reach the bds guys could be the solution.
-
Its in the OS. Hardware can easily handle it if you got some muscle.
I can take this site offline using a specific type of traffic that takes no more than 70-80Mbps bandwith.
When that traffic hits pfSense, its dead. Goes offline instantly. No matter how powerful the hardware is.
I run 8 Core, 16GB ram and SSD. Dead in a second if it hits.
Exploiting the multithreading capabilities perhaps?
-
Perhaps :)
-
@ghislain26:
hi,
i am hit by ddos (upd flood mostly) and looking for solutions, hopefully opensource ones. I wanted to know what was the biggest multi gigabits attack you successfully stopped with your pfsense setup in the field ( so not with nullrouting at ISP level) and what the hardware used was.
My actuel issue is on the 5 to 10 gbps DDOS udp flood attacks so i search to see if a 20gbps filtering firewall could work in the real world of April 2015 and help me mitigate 1-16gbps attacks. My problem is to filter myself not ask upstrream to help so i really speak of how i can filter this and if anyone here had setup playing at this level of gbps.
regards,
Ghislain.Some DDOS attacks can be nullified by simply changing the ip address(es) at the dns level.
Where a DNS lookup is taking place, you need to identify the rogue who is doing the dns lookup and send them off to 23.37.28.215 or 195.99.147.120 if you have a sense of humour which contrary to popular belief also includes these guys 77.87.229.22. ;D -
I can tell you this much….
Windows firewall doesnt get affected by any of these attacks. If you put the server out front and only have WF running and forwarding traffic to the server then it can handle it easily.
It seems to only affect UNIX/Linux/BSD distros.
But MS are no longer supporting ISA server or its later rebranded versions last time I looked, but there might still be a way of exploiting the windows core in similar circumstances.
-
Could be. And yes its not supported any more.
But we were testing…..
-
No….but maybe some updates to what they find or not find??
Maybe hints to what could be done to minimize impact by adding things to system -> tunables??
Have you considered that CMB is now under contract and cant disclose? This was something disclosed by Snowden, some individuals were forced/required to form a legal entity under guidance of the NSA.
http://www.tomsguide.com/us/nsa-tech-coercion,news-17517.html
-
HAHAHAHAHAHAHAHA :D
If thats the case, then pfSense is dead as of THIS moment :D
-
Some DDOS attacks can be nullified by simply changing the ip address(es) at the dns level.
Where a DNS lookup is taking place, you need to identify the rogue who is doing the dns lookup and send them off to 23.37.28.215 or 195.99.147.120 if you have a sense of humour which contrary to popular belief also includes these guys 77.87.229.22. ;Dthe issue is on a webserver with XX+ domains the udp attack do not show which one is targetted and also some domains are handled by the main branch of the customer of our customer's office in another country with days of business paperwork nonsense to finaly react and change the dns :)
this is why i started to look at beeffy machines with pfsense to help but first i try to gather information about people using it for this and it seems no one, that answer here, use pfsense in multi gigabit setup or has experienced multi gigabit attacks on a pfsense box. I am happy thet they do not get attacked but i would have loved they had been to have some feedback ;p Supermule is providing feedback on "small scale" attack that would take down a firewall like this so i am not closer to any solution right now (and still fight on DC side to get a POC setup) :)