What is the biggest attack in GBPS you stopped
-
what may I ask are you doing to determine the root cause?
Yeah. The whole point here is that NOTHING is done to fix this. So this Supermule guy has a new toy, and goes like this:
_> Hey, I've got these top secret scripts. PM me to get DoS-ed
OK, here's the IP
Haha, pfSense died in seconds, gotcha! Watch this YT video. How did it feel? Did it suck?
Yeah, pretty much._This has been going on for about two months, with a bunch of crappy YT videos produced, nothing determined, and producing a completely useless thread with a bunch of ridiculous shit like the conspiracy stuff or suggestions to replace pf with the mighty Windows firewall.
Supermule, hand over the stuff to someone who has a clue => pfSense/FreeBSD devs. No offense, but you certainly do NOT have the know-how to determine the cause of the problem, let alone fix it. Enough of this crap already! Not entertaining, and a pure waste of time.
:( >:( >:(
-
SuperMule gave a link to a 3rd-party DOS testing service that has this exact same attack. Sounds like a fairly standard attack to me if 3rd-part DOS testing services already have this attack. He has provided packet dumps that included all valid UDP or TCP packets, just from a range of source IPs and ports.
Sounds strait forward. PFSense copes well with a single IP address attacking, but blows up with many different IPs. Completely guess since I didn't bother to pay for the service to test out doing a DOS instead of DDOS of said attack.
-
The kind Doktor apparently didnt notice that….
A lot of scripts are emerging right now that has these capabilites built in. That makes pfsense compeletely useless for any that hosts public services if a 3mbit DDoS can bring it down and take slave and 3rd links down as well.
What do you consider it to be on a scale of 1-10 if EVERYBODY can be taken offline instantly by scripts that is everybodys for the taking in a not so distant future.
What would happen to the forum if one is pissed on some of the devs or fort that matter somebody else?
Take it offline as long as they like.... the netgate store and everything else related to ESF can be gone in seconds.
OPNSense responds better (35 seconds) before its taken offline. Pfsense takes 1-2 seconds.
Make up your own mind...
-
A lot of scripts are emerging right now that has these capabilites built in. That makes pfsense compeletely useless for any that hosts public services if a 3mbit DDoS can bring it down and take slave and 3rd links down as well.
Yeah, a lot of scripts may be emerging… no wonder when two months of time have been wasted with your PM to DOS and Youtube shit. Congrats.
What do you consider it to be on a scale of 1-10 if EVERYBODY can be taken offline instantly by scripts that is everybodys for the taking in a not so distant future.
On a scale of 1-10 on how to handle issues in open-source code, you get 0 for acting like complete retard. Make up your own mind…
SuperMule gave a link to a 3rd-party DOS testing service that has this exact same attack.
Wonderful. Maybe he's getting some commission from them… ::)
-
The following is my opinion.
I don't really see this thread as being squarely aimed at root causing the issue as much as one of bringing to light the issue to make the community and pfSense team aware of the issue. Awareness has been accomplished.
Very disappointed in the response (or seemingly lack of response) by the pfSense team to either acknowledge or refute this issue. I would expect this from a fortune 500 company, but not from a grass roots originated, community contributed, effort like pfSense. :o
Really seems as though the pfSense team is not interested in engaging. This to me is an indication that there really is an issue and that the issue is beyond what they are capable of dealing with due to a technical limitation within the product. Or that there could be an unpalatable to the community agenda involved. Whatever the case or reason may be the response thus far does not instil confidence in the product or ESF. :(
Since I do not use this product in a business environment the issue itself is not of much concern to me. The pfSense team seemingly lack response and engagement though is very unpalatable.
If I were using pfSense in a business environment I would be very concerned though that with such a small amount of traffic pfSense could be taken off-line by a disgruntled employee, dissatisfied customer, or an unscrupulous competitor.
Regardless of one's philosophy of where such a low bandwidth "attack" should be mitigated. No modern firewall should be susceptible to being knocked off-line by as little as a few megabits of traffic. ::) This would be totally unacceptable to me in a business environment.
-
Its been 3+ months since this was forwarded to the devs by Lowprofile and me.
There has been NOTHING other than scattered emails and one PM to me about pcaps from CMB and he could get it since its in this thread.
I find that fact pretty scary since people buy commercial support and gold memberships to support the project.
But when its really needed, everything went quiet and almost no responde other than accusations of me bringing down the forum.
I would love to help out, but I am not a freebsd/linux guru and I cannot provide anything besides point out there is an issue, trying to enlighten people and show how it affects pfsense and other firewall distros.
Thats why I ask for testers and help from people like Doktornotor since I know he is a dev. and all I get is shit from him.
I have promised not to spread the script since as it is, it can take down any firewall running pfsense and other OS'.
Its like having a dirty bomb and people asking for copies, than all hell breaks lose.
What else can I do to draw attention to this and have a response to the issue?
The following is my opinion.
I don't really see this thread as being squarely aimed at root causing the issue as much as one of bringing to light the issue to make the community and pfSense team aware of the issue. Awareness has been accomplished.
Very disappointed in the response (or seemingly lack of response) by the pfSense team to either acknowledge or refute this issue. I would expect this from a fortune 500 company, but not from a grass roots originated, community contributed, effort like pfSense. :o
Really seems as though the pfSense team is not interested in engaging. This to me is an indication that there really is an issue and that the issue is beyond what they are capable of dealing with due to a technical limitation within the product. Or that there could be an unpalatable to the community agenda involved. Whatever the case or reason may be the response thus far does not instil confidence in the product or ESF. :(
Since I do not use this product in a business environment the issue itself is not of much concern to me. The pfSense team seemingly lack response and engagement though is very unpalatable.
If I were using pfSense in a business environment I would be very concerned though that with such a small amount of traffic pfSense could be taken off-line by a disgruntled employee, dissatisfied customer, or an unscrupulous competitor.
Regardless of one's philosophy of where such a low bandwidth "attack" should be mitigated. No modern firewall should be susceptible to being knocked off-line by as little as a few megabits of traffic. ::) This would be totally unacceptable to me in a business environment.
-
Its been 3+ months since this was forwarded to the devs by Lowprofile and me.
There has been NOTHING other than scattered emails and one PM to me about pcaps from CMB and he could get it since its in this thread.
I find that fact pretty scary since people buy commercial support and gold memberships to support the project.
But when its really needed, everything went quiet and almost no responde other than accusations of me bringing down the forum.
I would love to help out, but I am not a freebsd/linux guru and I cannot provide anything besides point out there is an issue, trying to enlighten people and show how it affects pfsense and other firewall distros.
Thats why I ask for testers and help from people like Doktornotor since I know he is a dev. and all I get is shit from him.
I have promised not to spread the script since as it is, it can take down any firewall running pfsense and other OS'.
Its like having a dirty bomb and people asking for copies, than all hell breaks lose.
What else can I do to draw attention to this and have a response to the issue?
Only time will tell what the devs agenda is on this. For all I know there is enough testing done here. It is up to us the users to decide whether we care or not now. The devs make their money different ways and have different priorities. The good doktor is trying to troll. He is useless so far himself. Supermule has produced results. What have you done? At least don't blame the guy. He can't spoon feed you many times over. If he releases this script to the forum, don't you think someone will pick the script and attack everyone? He already says he went to devs 3 months ago and scripts are available so I am not sure what your point is? Do you still not believe this happening or what? If you think this is fake then let us know how otherwise let the man get the attention needed. He said it repeatedly that devs are not responding and yet you go on ranting about how he should do more free work for you. STOP IT doktornotor - you are annoying and trolling. PM supermule if you have good intentions.
-
Supermule has produced results. What have you done? At least don't blame the guy. **With all due respect to Supermule, and I am actively working with him, he hasn't produced results. He's provided a use case. That use case triggers an adverse result. That's what he's produced. I will be working with him to narrow down if that is rooted in FreeBSD 10.1 or pfSense. It'll take a few weeks for me to make infrastructure changes and build servers, but I think it'll narrow it down.
I'm not here to defend Supermule, but I am absolutely here to work with him to put the effort into determining the root cause with the resources I have available to me.
Isn't that how open source communities work?
I understand Supermule's frustration because the devs on this forums are so cocky at times and jump at you the moment you talk about security or features. I have seen that first hand. I am just in the process of setting a test bed myself but if I see same results then I would know for sure that anyone who says otherwise is trolling or stalling what Supermule is trying to put out here. If he is a whistleblower then you should appreciate him regardless of whether he helps anymore or not.
We, the users, do NOT code! but we give the devs the power to see all the download and usage statistics so YES we are directly contributing to make this product better by simply using it.
Turn the thread into a progress report if you care - otherwise, I don't believe anything you say unless a new version comes that is not prone to the same attack.
Pfsense is AWESOME! but if they turn this into a personal war against Supermule then it's really stupid of devs even if it is for buying time. He has raised his voice and has all the right to do so in whatever way he wants. This is an opensource project so suck it, fix it, and move on. No one is giving handouts here - everyone contributes!**
-
I do not appreciate SM's disclosure. No developer would. However, I am trying to respond to it in a way that I can contribute.
Users absolutely DO code.Most of users do NOT code! We contribute by download, test, and report. Devs make their money indirectly from this. Don't act superior to other users. The fact that you did coding or not has NO VALUE. You did it for your own personal gain regardless. One doesn't need a business major to understand this. This project exists because of it's user-base (Small or big). You are not important any more than any other user here. Don't flatter yourself!
I do NOT understand why you make this about Supermule's character or method of disclosure while this is simply a really bad thing happening out there that has nothing to do with anything but the issue itself. Attack the problem, not the messenger. Are you pissed that he found it? I am certain he is not lying when he says Devs give him shit for reporting this. Once again, people like you are trying to change focus from what he is saying. And you are full of shit because if you saw no value in what Supermule found then you wouldn't be so angry here. If you don't believe this is serious then forget it and move on. If you do believe he is onto something and you still DO NOT APPRECIATE HIM then, …. (fill the dots yourself)
And what the heck is a white hat? Who decides who is a white hat - you? LOL - No one trusts you when you take the high moral ground to everyone else! STOP ATTACKING HIS CHARECTER - this is stupid
-
Geesus guys!
Take it easy. Just got up on a sunday and all this bickering is not good for the community.
Lets get into solution mode and see if we can assist the dev's on this one since it seems to be pretty severe.
Go grab a coffee and a donut :)
I will read my PM's in the meantime with people wanting to help. Really appreciated guys!
-
-
My apologies. The Jameson made Mr. Hyde come out.
-
Geesus guys!
Take it easy. Just got up on a sunday and all this bickering is not good for the community.
Lets get into solution mode and see if we can assist the dev's on this one since it seems to be pretty severe.
Go grab a coffee and a donut :)
I will read my PM's in the meantime with people wanting to help. Really appreciated guys!
Coffee sounds really good. Still waiting to get a coffee grinder and a french press. I don't trust coffee filters unless stainless steel, and those are hard to find outside of a french press. I don't like to use paper filters because it seems like a such a waste of paper and many are treated with a range of chemicals, and plastic filters, well, food grade nylon is only rated for 165f before it starts leeching chemicals.
I drink my tea every morning, but I really want free leaf and a tea ball, so I can cut down on waste materials. Took a lot of reviews, but I found a tea that uses compress air to whiten their bags, instead of chemicals, their bags don't use staples only tied so less waste, and chemical analysis shows very low levels of lead and other heavy metals compared to other brands and well below safety limits, and virtually no pesticide residue.
We may be living long compared to people decades ago, but I take the stance that if everything you eat is technically safe, you're just going to get death by a thousand cuts. I don't just want "safe" levels just below the maximum, I want the best that can be done, with in reason.
There's my random weekend off-topic rant.
Next on the agenda, replacing mercury filled florescent lightbulbs with LED lights, but ones that don't have a strong blue spectrum that causes eye strain.
-
Can someone give a proper summary of what the problem actually is so others don't have to wade through 20+ pages to find the info?
Specifically: Is the traffic in question actually passed, or blocked? Is a service on the firewall running pfSense (such as the GUI) exposed to the test source or is the traffic being passed through to an internal host (port forward, routed, etc)? – This is important because a SYN flood to pfSense as a host is completely different than a flood through pfSense as a forwarder/firewall.
If the traffic is passing through the firewall, using rules to clamp down state limits, or going stateless properly (floating quick OUT rules to pass out with no state along with the pass in rules on the other tabs) may help.
If the traffic is targeting the firewall itself, then there are things that can be tweaked (syncache parameters, for example), but it's yet another reason the services on the firewall such as the GUI and SSH should not be exposed to the Internet in general. State limits can help there as well.
Also the "size" of an attack in Mbit/s or Gbit/s is not as important to know as the PPS rate which tends to be the limiting factor when dealing with small packets such as this.
-
Can someone give a proper summary of what the problem actually is so others don't have to wade through 20+ pages to find the info?
Yes.
Supermule, Tim.Mcmanus, and I (almabes) are going to work on this. I will get together some documentation once we get the problem isolated.To quote the late, great Joe Cocker
We could use a little help from our friends. -
Also the "size" of an attack in Mbit/s or Gbit/s is not as important to know as the PPS rate which tends to be the limiting factor when dealing with small packets such as this.
Hi Jimp,
In my tests with Supermule, he was able to take down my pfSense 2.2.2 factory fresh install with no ports open. By take down, I mean the GUI was not responding, ping to pfSense was met with no response, ping to google.com stopped responding, and I could not browse the internet. It tooks about 30-60 seconds for pfsense to become responsive once he stopped the attack. Supermule said he was attacking with 5-6mbit. Following is what I had from the console at one point during the attack.
I am getting "500 Internal Server Error nginx" when I am posting to your reply. So, I put my findings on paste bin here which is very interesting:
http://pastebin.com/CRGh1hHTAfter attack stop, I saw this: 05-18-15 11:48:00 [ There were error(s) loading the rules: pfctl: DIOCXCOMMIT: Device busy - The line in question reads [0]: ]
-
Can you post screen shots of your AllGraphs for the System tab instead if just the processor?
-
Also, has anyone taken a stock FreeBSD 10.1 box with pf and a basic ruleset to see if the same happens there?
If so, it would be worth reporting upstream as well.
-
Also, has anyone taken a stock FreeBSD 10.1 box with pf and a basic ruleset to see if the same happens there?
If so, it would be worth reporting upstream as well.
I can probably do this, but it'll be about a week before I can present data and metrics. I already have a clean FreeBSD 10.1 and Apache 4.2 server built for testing. Enabling PF shouldn't be too difficult, I just need to plot out the architecture and possibly roll another 10.1 VM with two interfaces and a point to dead end traffic.
-
OPNSense responds better (35 seconds) before its taken offline.
Make up your own mind…
You mean their Ubuntu VPS web server that isn't behind a firewall at all. Yeah, make up your own mind indeed.