Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    What is the biggest attack in GBPS you stopped

    Scheduled Pinned Locked Moved General pfSense Questions
    737 Posts 33 Posters 817.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G Offline
      gadnet
      last edited by

      @KOM:

      You cannot mitigate a DDoS attack with a single firewall/router.  If it was that easy, don't you think Sony, Microsoft and anyone running a cloud service would do it and DDoS would be a thing of the past?  If it was that easy, why are there services like CloudFlare that specialize in DDoS protection?  Only global traffic inspection & load-balancing will do it for you… if you're willing to pay.

      i dont think sony was hit by only 6gbps, if i cannot protect me against ALL ddos i should be able to mitigate the lesser one. It's like saying there is no point to lock your door because bank are robbed ?

      seems that everybody just say when a teenager get angry he pays 10 buck and boom goes your site, just null route it and wait a week or two and it will be okay or pay 9209318401841$ for a protection service with arbor ?

      All i see until now is that nobody seems to use pfsense successfully for somethign bigger than a single Gb or they stay silent :) For now all agree that it (and freeBSD) cannot handle this.

      Thanks for all the time you dedicated to answering  me, i will continue my journey for a solution (i will continue to monitor the forum about this just in case).

      best regards,
      Ghislain.

      1 Reply Last reply Reply Quote 0
      • N Offline
        Nullity
        last edited by

        Stopping someone from entering your home; pfSense can do that.

        Stopping someone from picketing your house; pfSense cannot do that (from inside your house). You need to own the entire neighborhood.

        I would like to see some examples of someone stopping, or even slightly mitigating, a UDP-based DDoS while only controlling the final hop.

        Please correct any obvious misinformation in my posts.
        -Not a professional; an arrogant ignoramous.

        1 Reply Last reply Reply Quote 0
        • ? This user is from outside of this forum
          Guest
          last edited by

          @Ghislain

          seems that everybody just say when a teenager get angry he pays 10 buck and boom goes your site, just null route it and wait a week or two and it will be okay

          He don´t must pay anything, he download a software as many others allso and then they are
          all attacking your site DoS is not DDoS!  8)

          or pay 9209318401841$ for a protection service with arbor ?

          Dealing with 10 Gbit/s single or multiple time is no child game, this is business like
          IT and this was never and will be never a game, journey or something for the "get it cheap"
          generation, as I see it right. And if your DC is not able to prevent you from those attacks
          will be showing up that this is not one option more to make money but more then spending
          much more money then the most customers want to pay for. Because this could be done
          it means also not that you are taking much money and solve it out for ever, because the
          next DDoS attack could be then hitting you with 65 GBit/s and more sufficient hardware or
          will services would be really urgent needed. With the Corero IPS 5500-2400ES you will be
          able to protect your server and this was in my eyes the core of your question. For sure those
          devices are not to shoot for some bucks at eBay and also not able to collect from the dump
          for paying nothing.  :D

          All i see until now is that nobody seems to use pfsense successfully for somethign bigger than a single Gb or they stay silent :) For now all agree that it (and freeBSD) cannot handle this.

          This is really sad in my eyes, only and because your wishes would not be able to solved out, we
          are all now the small players in this scene? But I was telling you and by setting up a link something
          how we protect our company by using Corero devices, and why we all are now using a single GBit/s
          WAN line??? For sure we must pay for that and in this scenario also twice.  ;)

          For now all agree that it (and freeBSD) cannot handle this.

          If Lanner gets the FW-8895 working for pfSense and the Tilera packet processing cards will
          be able to use, you get a fair change to work it out with OpenDPI, but as I read it between
          the lines, it could be then also again very expensive and this is nothing for you and your business
          as well you want it getting cheap. Because pfSense is OpenSource and free of cost, that is not
          meaning that pfSense is not willing to have a adequate hardware basis to run smooth for the job!

          Thanks for all the time you dedicated to answering  me, i will continue my journey for a solution (i will continue to monitor the forum about this just in case).

          Then you can start here in 2012, same question and with the same answers.
          Stop 10 Gbps of DDoS?  :o

          1 Reply Last reply Reply Quote 0
          • S Offline
            Supermule Banned
            last edited by

            EXACTLY!

            And the funny shit is, that it dies also when changing SYNPROXY state to STATELESS!

            What would that tell you??

            Whats even funnier is that using OVH scripts and limiting the PPS pr. rule (even the block all rule) doesnt help. You can create an advanced ruleset with 100PPS and it still dies on specific scripts. Then the total bandwith will be very small, but pfSense dies…

            Where to look for an error like that? Its buried deep within BSD/Linux.

            I revived an old ISA Server 2006 and testet it out front and it wasnt affected when configured.

            @Harvy66:

            Null routing won't protect you against spoofed source IPs. It's the firewall's job to drop out of state packets, not die. I understand that the fast path is if the state already exists, I understand that running through the rules is not quite as fast as the fast path, but that's not the issue either. The issue is dropped packets are some how the most expensive path of all, to the point that the router dies with only a relatively trickle of them.

            Maybe this is more of a FreeBSD issue than PFSense, but it seems to be something misconfigured or a fundamental flaw.

            Step 1) See if packet is part of an existing flow, if so pass, else goto step 2
            Step 2) Check packet against rules, if passes, create new flow, else goto step 3
            Step 3) Drop packet then jump off a cliff

            Step 3 needs to be fixed to not be so emo.

            1 Reply Last reply Reply Quote 0
            • G Offline
              gadnet
              last edited by

              @Nullity:

              I would like to see some examples of someone stopping, or even slightly mitigating, a UDP-based DDoS while only controlling the final hop.

              as long as you do not fill up the pipe i would have hoped a

              INCOMMING UDP to this IP => DROP ALL

              could let me have my web server continue working, this should not cost that much to a dual eight core xeon with multiple 10gbps chelsio T5 cards and plenty of ddr4 ram.

              I understand i have only a theorical 2000ft view of it but the numbers seems to indicate that this level of hardware is theoricaly capable of handling the flow, now the cost of the operating system and tcp stack is a big part of unknow here but i was naively thinking it could do this.

              I am not trying to do this on the cheap, what i am trying is to keep control of it, opensource is a way to keep control of what is done and beter than a blackbox imho. Also more important i am trying to see if anyone has such setup. All the answers here indicate that this is not the case and not feasible that i should look for an upstream protection. If this is the experience of people on the field i understand, i keep looking anyway.

              1 Reply Last reply Reply Quote 0
              • ? This user is from outside of this forum
                Guest
                last edited by

                opensource is a way to keep control of what is done and beter than a blackbox imho.

                OpenSource or Closed Source, Black Box or Self made Box, is all either for me. If I have a problem
                and find one who is also able to solve it out, that is my dealer!

                See where they are placing their solution, between the routers and the firewalls.
                And you try to find out a way to solve the problems out at only one point, the firewall.

                Picture source: Corero.com

                ![Corero IPS 5500.jpg](/public/imported_attachments/1/Corero IPS 5500.jpg)
                ![Corero IPS 5500.jpg_thumb](/public/imported_attachments/1/Corero IPS 5500.jpg_thumb)

                1 Reply Last reply Reply Quote 0
                • KOMK Offline
                  KOM
                  last edited by

                  It's like saying there is no point to lock your door because bank are robbed ?

                  No, I'm saying that the strongest door you can find will happily collapse when it's being pounded on by a tank.

                  1 Reply Last reply Reply Quote 0
                  • S Offline
                    Supermule Banned
                    last edited by

                    Try to add this manually in the system -> tunables

                    kern.ipc.somaxconn = 32768

                    And test again. We have seen some improvement using that setting

                    1 Reply Last reply Reply Quote 0
                    • N Offline
                      Nullity
                      last edited by

                      @Supermule:

                      Try to add this manually in the system -> tunables

                      kern.ipc.somaxconn = 32768

                      And test again. We have seen some improvement using that setting

                      Was the improvement seen during a TCP or UDP DDoS?

                      Please correct any obvious misinformation in my posts.
                      -Not a professional; an arrogant ignoramous.

                      1 Reply Last reply Reply Quote 0
                      • S Offline
                        Supermule Banned
                        last edited by

                        Test using TCP scripts.

                        1 Reply Last reply Reply Quote 0
                        • N Offline
                          NOYB
                          last edited by

                          @KOM:

                          It's like saying there is no point to lock your door because bank are robbed ?

                          No, I'm saying that the strongest door you can find will happily collapse when it's being pounded on by a tank.

                          If what Supermule is saying is correct, 70-80 Mbps is no tank.  It's like a spit wad pea shooter.

                          If pfSense really can be taken down by that, that is a huge serious issue.

                          @Supermule:

                          Its in the OS. Hardware can easily handle it if you got some muscle.

                          I can take this site offline using a specific type of traffic that takes no more than 70-80Mbps bandwith.

                          When that traffic hits pfSense, its dead. Goes offline instantly. No matter how powerful the hardware is.

                          I run 8 Core, 16GB ram and SSD. Dead in a second if it hits.

                          1 Reply Last reply Reply Quote 0
                          • S Offline
                            Supermule Banned
                            last edited by

                            It is. And we have contacted the dev. team but no replies at all from Chris on this issue. (2-3 mths).

                            1 Reply Last reply Reply Quote 0
                            • DerelictD Offline
                              Derelict LAYER 8 Netgate
                              last edited by

                              You mentioned Windows weathers it better.  What about something like a Cisco ASA?

                              Chattanooga, Tennessee, USA
                              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              1 Reply Last reply Reply Quote 0
                              • S Offline
                                Supermule Banned
                                last edited by

                                We havent had the pleasure of having one available to test.

                                1 Reply Last reply Reply Quote 0
                                • D Offline
                                  doktornotor Banned
                                  last edited by

                                  Christ, we are back to this "oooooooh I've got a supersecret attack to instacrash pfSense"  noise again?

                                  1 Reply Last reply Reply Quote 0
                                  • KOMK Offline
                                    KOM
                                    last edited by

                                    If what Supermule is saying is correct, 70-80 Mbps is no tank.  It's like a spit wad pea shooter.

                                    Well, it really depends on what you have.  70-80 Mbps wouldn't take down my corporate link, but it would totally hammer the links of many smaller companies I know.

                                    If pfSense really can be taken down by that, that is a huge serious issue.

                                    Agreed.  However, I will reserve judgement until I see more than hand-waving.

                                    1 Reply Last reply Reply Quote 0
                                    • S Offline
                                      Supermule Banned
                                      last edited by

                                      Send me an IP address to test….

                                      Then I will surprise you.

                                      1 Reply Last reply Reply Quote 0
                                      • N Offline
                                        NOYB
                                        last edited by

                                        @KOM:

                                        Well, it really depends on what you have.  70-80 Mbps wouldn't take down my corporate link, but it would totally hammer the links of many smaller companies I know.

                                        This is not about taking down the "link" (filling the pipe).  It is about taking down pfSense.  In which case the link (pipe) may as well be down.  The point that is being put forth is that it doesn't matter that you have gigabit + pipe when it only takes about 70-80 Mbps to take down pfSense.  Rendering the pipe useless.

                                        @KOM:

                                        I will reserve judgement until I see more than hand-waving.

                                        Supermule has made the offer to prove it.  What are you waiting for?  Accept the challenge.

                                        Supermule has made the offer to prove this several times in this thread.  Would someone please take the challenge.  I would but don't have 70-80 Mbps of bandwidth.

                                        1 Reply Last reply Reply Quote 0
                                        • KOMK Offline
                                          KOM
                                          last edited by

                                          What are you waiting for?  Accept the challenge.

                                          I already did and didn't see what he was talking about.  He blasted me with a sustained 90 Mbps, my link max.  Our access was slow and I was getting service alarms from our external sensors, but pfSense was responsive.  I didn't see anything that I wouldn't already expect to see while under DoS.  He wanted to try another test where he blasts a port-forwarded server but I didn't have time or patience today for that.

                                          1 Reply Last reply Reply Quote 0
                                          • S Offline
                                            Supermule Banned
                                            last edited by

                                            From the outside, his link was taken down immediately and it didnt respond to ping at all.

                                            And that was on a pfsense that had NO port forwards set.

                                            If it had a server behind and actually trying to route it, then his GUI would be hit as well.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.