What is the biggest attack in GBPS you stopped
-
Again, if you have a piece of infrastructure that has a vulnerability and you cannot mitigate it upstream, I would seriously question the security design of your network.
… or a better solution, change the hardware.
Change the architecture.
I have a Palo Alto on the border because I want a security appliance there, and then there's an F5 behind that, and of course pfSense next. This is just a general, high level view; there's more than this. I support customers in finance and life sciences.
If I cannot handle an attack with those security layers, I escalate to the ISP.
With my SMB customers I'm looking at the Mirkotek as a $40 "fix" to stop the SYN packets in front of their pfSense installations. As I mentioned before, I might be inclined to test it out with Supermule to see if it is effective.
-
I would be glad to help Tim :)
-
So I tested it with Supermule.
Well I have 3 links (40/100, 20/20, 20/20)He took me down in 1 second with approx 3.09 Mbit traffic.
I have webserver behind this and all I see in that log is few lines of ACKs sent back and then silence.He syn flooded me on one (1) line out of 3 and everything went down.
Very nice >:(
-
So attack on one IP with 3.09mbit of traffic took down master AND slave as well despite not even running on that public IP??
Correct?
-
Yes, everything went down in less than 5 seconds.
-
You could be right on this one.
Yeah, we are all doomed. @Supermule:
Exactly and it takes pfSense offline immediately!
-
The kid in me wants more DDoS anecdotes.
The adult in me wants more debugging.Do syncookies and/or syn-cache help any?
I have a few days free. Send me the damn thing and I will read the FreeBSD handbook and solve what I can.
-
@supermule have you opened a bug report on redmine with some specifics & mailed the script/software/procedure to the devs ?
i doubt we'll get this sorted without their assistance.also, someone (who knows freebsd) should try to replicate it on stock freebsd
-
SSDD….
-
Yeah, we are all doomed. @Supermule:
Exactly and it takes pfSense offline immediately!
Yes you are. Never seen an active idiot like you on a forum. All your post (went through 100's, quite boring) are only negative, either you post google pics, "WTF", "NO", or "HELL"
Be a man, do some test before putting out shit…
-
@supermule have you opened a bug report on redmine with some specifics & mailed the script/software/procedure to the devs ? i doubt we'll get this sorted without their assistance.
No, of course not. It's much better to start a 20page "PM me to get DoS-ed" thread. ::)
Be a man, do some test before putting out shit…
What'd be purpose of the test? To post here yet another "oh noes, pfS died, t3h suxxx"?
-
I think the main point is there is no reason to scream fire in the same theater twice.
I'm sure whatever can be done will be done.
I'm just a casual bystander and for me the thread got boring already because I know the main pfsense guys and more than likely people inside BSD are on it by now.
The people who are continuing the thread already shed light on things but will not be the same people who resolve the issue.
So me personally… I think its time already to let the coders do their magic and wait.
-
Monthly updates for a long standing critical flaw would be nice. But I can appreciate busy programmers, been there, done that.
-
This is either really grave and so incurable that no one wants to officially talk about it and report back to community or they haven't figured out what Supermule does to bring it down.
Either ways this is very concerning. It's funny how you see no signs of devs being cocky about this like other issues. I hope that means they are hard at work. Really, pfsense will be useless if this is what happens…
I think we all owe Supermule a BIG thank you! Anyone says anything else is trying to hide this serious issue.
If devs have nothing to say to what Supermule has established then this is probably a business decision to shoot down the free version. I wonder if previous versions - all the way back to 1.2.3 - are also effected y this (Supermule would you please test?). If they are not then this is most likely a business decision. If they are, then it's probably an inherent issue with FreeBSD that needs attention.
-
This is either really grave and so incurable that no one wants to officially talk about it and report back to community or they haven't figured out what Supermule does to bring it down.
Either ways this is very concerning. It's funny how you see no signs of devs being cocky about this like other issues. I hope that means they are hard at work. Really, pfsense will be useless if this is what happens…
I think we all owe Supermule a BIG thank you! Anyone says anything else is trying to hide this serious issue.
If devs have nothing to say to what Supermule has established then this is probably a business decision to shoot down the free version. I wonder if previous versions - all the way back to 1.2.3 - are also effected y this (Supermule would you please test?). If they are not then this is most likely a business decision. If they are, then it's probably an inherent issue with FreeBSD that needs attention.
FUD, pure ans simple.
Unfortunately, although an issue has been identified, the root cause has not. Rather than fan the flames of "this sucks and so do the dev", what may I ask are you doing to determine the root cause?
pfSense is an open source community project. It's unfortunate that apparently most of the community is made up of weaksauce, cheese-eating surrender monkeys. Lots of whine with that cheese…
-
what may I ask are you doing to determine the root cause?
Yeah. The whole point here is that NOTHING is done to fix this. So this Supermule guy has a new toy, and goes like this:
_> Hey, I've got these top secret scripts. PM me to get DoS-ed
OK, here's the IP
Haha, pfSense died in seconds, gotcha! Watch this YT video. How did it feel? Did it suck?
Yeah, pretty much._This has been going on for about two months, with a bunch of crappy YT videos produced, nothing determined, and producing a completely useless thread with a bunch of ridiculous shit like the conspiracy stuff or suggestions to replace pf with the mighty Windows firewall.
Supermule, hand over the stuff to someone who has a clue => pfSense/FreeBSD devs. No offense, but you certainly do NOT have the know-how to determine the cause of the problem, let alone fix it. Enough of this crap already! Not entertaining, and a pure waste of time.
:( >:( >:(
-
SuperMule gave a link to a 3rd-party DOS testing service that has this exact same attack. Sounds like a fairly standard attack to me if 3rd-part DOS testing services already have this attack. He has provided packet dumps that included all valid UDP or TCP packets, just from a range of source IPs and ports.
Sounds strait forward. PFSense copes well with a single IP address attacking, but blows up with many different IPs. Completely guess since I didn't bother to pay for the service to test out doing a DOS instead of DDOS of said attack.
-
The kind Doktor apparently didnt notice that….
A lot of scripts are emerging right now that has these capabilites built in. That makes pfsense compeletely useless for any that hosts public services if a 3mbit DDoS can bring it down and take slave and 3rd links down as well.
What do you consider it to be on a scale of 1-10 if EVERYBODY can be taken offline instantly by scripts that is everybodys for the taking in a not so distant future.
What would happen to the forum if one is pissed on some of the devs or fort that matter somebody else?
Take it offline as long as they like.... the netgate store and everything else related to ESF can be gone in seconds.
OPNSense responds better (35 seconds) before its taken offline. Pfsense takes 1-2 seconds.
Make up your own mind...
-
A lot of scripts are emerging right now that has these capabilites built in. That makes pfsense compeletely useless for any that hosts public services if a 3mbit DDoS can bring it down and take slave and 3rd links down as well.
Yeah, a lot of scripts may be emerging… no wonder when two months of time have been wasted with your PM to DOS and Youtube shit. Congrats.
What do you consider it to be on a scale of 1-10 if EVERYBODY can be taken offline instantly by scripts that is everybodys for the taking in a not so distant future.
On a scale of 1-10 on how to handle issues in open-source code, you get 0 for acting like complete retard. Make up your own mind…
SuperMule gave a link to a 3rd-party DOS testing service that has this exact same attack.
Wonderful. Maybe he's getting some commission from them… ::)
-
The following is my opinion.
I don't really see this thread as being squarely aimed at root causing the issue as much as one of bringing to light the issue to make the community and pfSense team aware of the issue. Awareness has been accomplished.
Very disappointed in the response (or seemingly lack of response) by the pfSense team to either acknowledge or refute this issue. I would expect this from a fortune 500 company, but not from a grass roots originated, community contributed, effort like pfSense. :o
Really seems as though the pfSense team is not interested in engaging. This to me is an indication that there really is an issue and that the issue is beyond what they are capable of dealing with due to a technical limitation within the product. Or that there could be an unpalatable to the community agenda involved. Whatever the case or reason may be the response thus far does not instil confidence in the product or ESF. :(
Since I do not use this product in a business environment the issue itself is not of much concern to me. The pfSense team seemingly lack response and engagement though is very unpalatable.
If I were using pfSense in a business environment I would be very concerned though that with such a small amount of traffic pfSense could be taken off-line by a disgruntled employee, dissatisfied customer, or an unscrupulous competitor.
Regardless of one's philosophy of where such a low bandwidth "attack" should be mitigated. No modern firewall should be susceptible to being knocked off-line by as little as a few megabits of traffic. ::) This would be totally unacceptable to me in a business environment.