Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    What is the biggest attack in GBPS you stopped

    Scheduled Pinned Locked Moved General pfSense Questions
    737 Posts 33 Posters 815.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G Offline
      gadnet
      last edited by

      hi,

      i am hit by ddos (upd flood mostly) and looking for solutions, hopefully opensource ones. I wanted to know what was the biggest multi gigabits attack you successfully stopped with your pfsense setup in the field ( so not with nullrouting at ISP level) and what the hardware used was.

      My actuel issue is on the 5 to 10 gbps DDOS udp flood attacks so i search to see if a 20gbps filtering firewall could work in the real world of April 2015 and help me mitigate 1-16gbps attacks. My problem is to filter myself not ask upstrream to help so i really speak of how i can filter this and if anyone here had setup playing at this level of gbps.

      regards,
      Ghislain.

      1 Reply Last reply Reply Quote 0
      • S Offline
        Supermule Banned
        last edited by

        You dont stand a chance with pfSense.

        You need something that has been developed to mitigate the traffic.

        1 Reply Last reply Reply Quote 0
        • G Offline
          gadnet
          last edited by

          that's bad news i hoped the  Chelsio cards and pci-e v3 and big xeon would have enough to rate limit upd if not more.

          Is this in your experience a limit with the harware or the Os (freebsd here) .

          I guess the answer is that the current software will not be fast enough in the current hardware but just for getting your insigth.

          Does not seems a lot of people tried it i see only on the forum people like me that wonder if this can work but not that i can found that successfully done multi gigabits protection a reality with amd64 type servers and open source firewalling.

          regards,
          Ghislain

          1 Reply Last reply Reply Quote 0
          • S Offline
            Supermule Banned
            last edited by

            Its in the OS. Hardware can easily handle it if you got some muscle.

            I can take this site offline using a specific type of traffic that takes no more than 70-80Mbps bandwith.

            When that traffic hits pfSense, its dead. Goes offline instantly. No matter how powerful the hardware is.

            I run 8 Core, 16GB ram and SSD. Dead in a second if it hits.

            1 Reply Last reply Reply Quote 0
            • G Offline
              gadnet
              last edited by

              Well that's scary.

              Any way to have information on how to do this because i would love to test this against the  pfsense and diverse others solution.

              I guess all the FreeBSD ones will suffer this issue. Perhaps others competing in this space like vyaos, routeros or netbsd or basic linux or even basic FreeBSD or modified pfsesnse if the latest kernel is patched against the issue could make it, depending on the issue used here. The issue is that the TCP/IP stack of FreeBSD is considered by the internet (and it is never wrong) to be the most reliable one and a lot of other's tcp/ip stack is borrowed from it so it is scary that it could be killed by 80mbps.

              1 Reply Last reply Reply Quote 0
              • S Offline
                Supermule Banned
                last edited by

                I can tell you this much….

                Windows firewall doesnt get affected by any of these attacks. If you put the server out front and only have WF running and forwarding traffic to the server then it can handle it easily.

                It seems to only affect UNIX/Linux/BSD distros.

                1 Reply Last reply Reply Quote 0
                • G Offline
                  gadnet
                  last edited by

                  ok,

                  seems nobody had any ddos success story yet so seems there is more thinking to be  done.

                  best regards,

                  1 Reply Last reply Reply Quote 0
                  • ? This user is from outside of this forum
                    Guest
                    last edited by

                    I can take this site offline using a specific type of traffic that takes no more than 70-80Mbps bandwith.

                    Scary or?

                    It seems to only affect UNIX/Linux/BSD distros.

                    Really sad to hear about it!

                    Pointed to the hardware it would not be the thing as I see it right.
                    Lanner FW-8895
                    test for pfSense are running, at the moment, but at this time it is not running related to the BIOS.
                    Lanner Packet Processing card
                    Would be awesome to see this card running under pfSense that can handle 40 GBit/s and comes with
                    a bypass option.

                    1 Reply Last reply Reply Quote 0
                    • N Offline
                      NOYB
                      last edited by

                      @Supermule:

                      I can tell you this much….

                      Windows firewall doesnt get affected by any of these attacks. If you put the server out front and only have WF running and forwarding traffic to the server then it can handle it easily.

                      It seems to only affect UNIX/Linux/BSD distros.

                      Say what?  After all these years of Windows bashing by the nix and open source fans Windows firewall puts it to shame.  LOL

                      1 Reply Last reply Reply Quote 0
                      • D Offline
                        doktornotor Banned
                        last edited by

                        Dunno really what's this debate about? You don't stop DDoS via packet filters. You null route it. It's damn useless to packet filter DDoS crap – even if the firewall does not crash, the packet flood still totally fills your pipeline and renders it useless.

                        1 Reply Last reply Reply Quote 1
                        • S Offline
                          Supermule Banned
                          last edited by

                          Depending on your pipe.

                          I have 2x10G in the datacenter on WAN and it doesnt get filled at all. So no blocking of pipe in the relation.

                          Its the handling of packets and yes you can packetfilter DDoS and not nullroute it.

                          Thats exactly what they want to achieve and we need a FW solution that can handle it at wirespeed.

                          No matter the cores and memory, pfSense still dies instantly.

                          So tell me where the culprit is, because traffic hardly get to the servers at all. If I stick a windows firewall on WAN directly on the server, then everything is fine even under several gigabit/s traffic patterns.

                          1 Reply Last reply Reply Quote 0
                          • G Offline
                            gadnet
                            last edited by

                            @Supermule:

                            Depending on your pipe.

                            I have 2x10G in the datacenter on WAN and it doesnt get filled at all. So no blocking of pipe in the relation.

                            Its the handling of packets and yes you can packetfilter DDoS and not nullroute it.

                            Thats exactly what they want to achieve and we need a FW solution that can handle it at wirespeed.

                            exactly, right now 6GBPS do not fill the pipe of the main access that peak at 40gbps , but yes it fill the pipe of the server that is 1G. The purpose is to prevent nullrouting for all attack inferior to half the pipe by putting a firewall between the main router and the rack ( 20gbps is half the datacenter pipe).

                            1 Reply Last reply Reply Quote 0
                            • S Offline
                              Supermule Banned
                              last edited by

                              And you cant do that with pfSense.

                              It cant handle the DDoS traffic at all, especially SYN ACK and OVH scripts kills it instantly.

                              1 Reply Last reply Reply Quote 0
                              • N Offline
                                Nullity
                                last edited by

                                That is an unorthodox way of arguing, Supermule; proving an item's inadequacies by proving your inability to skillfully operate said <thing>(pfSense, Linux, Ford F150, shovels, pants, etc). To continually defend your stance, it is in your self-interest to not only stay ignorant, but perhaps even choose to learn exclusively the wrong ways of using <thing>. The worse your skills become with <thing>only validates your stand-point more and more. A strange way to prove a point… ;)

                                ghislain26, you say you can get your device installed earlier in the HOPs? Is this data-center multi-homed?</thing></thing></thing>

                                Please correct any obvious misinformation in my posts.
                                -Not a professional; an arrogant ignoramous.

                                1 Reply Last reply Reply Quote 0
                                • G Offline
                                  gadnet
                                  last edited by

                                  @Nullity:

                                  ghislain26, you say you can get your device installed earlier in the HOPs? Is this data-center multi-homed?

                                  From what i have been told the 40gbps from multiple peerings arrives at 2 redundant cisco where i can connect in 10gbps ports ( 2 ports in bonding here) so i can filter there , normaly the main routers go in 20gbps to the rooms routers.
                                  So i would playing the role the room routers for my ip's with my filtering box and from there go to my rack probably in bridging mode. Of course the fact that i have basic knowledge of networking but not advanced ones limit my possibilities.

                                  1 Reply Last reply Reply Quote 0
                                  • N Offline
                                    Nullity
                                    last edited by

                                    @ghislain26:

                                    @Nullity:

                                    ghislain26, you say you can get your device installed earlier in the HOPs? Is this data-center multi-homed?

                                    From what i have been told the 40gbps from multiple peerings arrives at 2 redundant cisco where i can connect in 10gbps ports ( 2 ports in bonding here) so i can filter there , normaly the main routers go in 20gbps to the rooms routers.
                                    So i would playing the role the room routers for my ip's with my filtering box and from there go to my rack probably in bridging mode. Of course the fact that i have basic knowledge of networking but not advanced ones limit my possibilities.

                                    Do you have plenty of logs during the DDoS so that you can figure out what the first hints will be that the attack is beginning? Did they use just 1 type of attack, or did they use multiple? Did you get multiple types of DDoS simultaneously, or did the attacks come in coordinated waves? Did a magority of the  IPs from a common area that you can set an alias for?

                                    Please correct any obvious misinformation in my posts.
                                    -Not a professional; an arrogant ignoramous.

                                    1 Reply Last reply Reply Quote 0
                                    • G Offline
                                      gadnet
                                      last edited by

                                      The attack we faced was from 2gbps to 6.5 gbps of smal udp packets flood on random ports (the destination ports changed every 10 minutes or so from what i gathered) . The ip were numerous and from india and china, probably some botnet or simply spoofed but i beleive it was a botnet.

                                      I do not have trace or evidence as i had no filtering device and when the attacks where "on" i was unable to reach the server until they nullrouted my ip at the data center so.. I poke around to see if i can build up some protection even if i know a flood bigger than 15gbps will probably make me nullrouted anyway i want to provide minimum resistance to the lesser flood one and not be killed by one person with 2 servers flooding a 1gbps port.

                                      1 Reply Last reply Reply Quote 0
                                      • ? This user is from outside of this forum
                                        Guest
                                        last edited by

                                        @ghislain26:

                                        The attack we faced was from 2gbps to 6.5 gbps of smal udp packets flood on random ports (the destination ports changed every 10 minutes or so from what i gathered) . The ip were numerous and from india and china, probably some botnet or simply spoofed but i beleive it was a botnet.

                                        I do not have trace or evidence as i had no filtering device and when the attacks where "on" i was unable to reach the server until they nullrouted my ip at the data center so.. I poke around to see if i can build up some protection even if i know a flood bigger than 15gbps will probably make me nullrouted anyway i want to provide minimum resistance to the lesser flood one and not be killed by one person with 2 servers flooding a 1gbps port.

                                        And there is nothing the datacenter where your rack is in can do for you? How do they nullroute
                                        the traffic for you? Why they can´t offering you something to protect you from that DDoS attacks?
                                        Would be interesting to know if the are not offering such a service as an option on top of their service!

                                        edit: I found something that would be placed between the both routers at the WAN interfaces and the
                                        firewalls later after them in the background, pending on what throughput we are talking about the right
                                        appliance must be chosen. here is a pdf from them about their hardware.

                                        Corero IPS 5500 ES-Series

                                        1 Reply Last reply Reply Quote 0
                                        • S Offline
                                          Supermule Banned
                                          last edited by

                                          If you are so smart and "godlike" then pls. post a working config and an IP that I can target.

                                          Then I will prove my point…

                                          When logging, it can be both TCP and UDP. UDP floods tends to be bandwith consuming and TCP are specific protocols and maybe L7 traffic like VSE, RUDY or ARME Scripts...

                                          OVH takes down pfSense at once no matter the bandwith. We have seen as low as 40mbit to make it completely useless and servers are unreachable.

                                          @Nullity:

                                          That is an unorthodox way of arguing, Supermule; proving an item's inadequacies by proving your inability to skillfully operate said <thing>(pfSense, Linux, Ford F150, shovels, pants, etc). To continually defend your stance, it is in your self-interest to not only stay ignorant, but perhaps even choose to learn exclusively the wrong ways of using <thing>. The worse your skills become with <thing>only validates your stand-point more and more. A strange way to prove a point… ;)

                                          ghislain26, you say you can get your device installed earlier in the HOPs? Is this data-center multi-homed?</thing></thing></thing>

                                          1 Reply Last reply Reply Quote 0
                                          • N Offline
                                            Nullity
                                            last edited by

                                            @Supermule:

                                            @Nullity:

                                            That is an unorthodox way of arguing, Supermule; proving an item's inadequacies by proving your inability to skillfully operate said <thing>(pfSense, Linux, Ford F150, shovels, pants, etc). To continually defend your stance, it is in your self-interest to not only stay ignorant, but perhaps even choose to learn exclusively the wrong ways of using <thing>. The worse your skills become with <thing>only validates your stand-point more and more. A strange way to prove a point… ;)

                                            ghislain26, you say you can get your device installed earlier in the HOPs? Is this data-center multi-homed?</thing></thing></thing>

                                            If you are so smart and "godlike" then pls. post a working config and an IP that I can target.

                                            Then I will prove my point…

                                            When logging, it can be both TCP and UDP. UDP floods tends to be bandwith consuming and TCP are specific protocols and maybe L7 traffic like VSE, RUDY or ARME Scripts...

                                            OVH takes down pfSense at once no matter the bandwith. We have seen as low as 40mbit to make it completely useless and servers are unreachable.

                                            Either become part of the solution to your problem, or move on. Perhaps create a thread dedicated to your problem and all the logical steps you have taken to isolate the bug. What led you to suspect that your bug affects all unix-based operating systems?
                                            What sort of things have you already eliminated as potential culprits? Have you already confirmed the cause of your bug?

                                            Being light on the details and heavy on the emotion says obvious things about your intent, though… I could be wrong. :)

                                            Please correct any obvious misinformation in my posts.
                                            -Not a professional; an arrogant ignoramous.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.