Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    What is the biggest attack in GBPS you stopped

    Scheduled Pinned Locked Moved General pfSense Questions
    737 Posts 33 Posters 817.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      Supermule Banned
      last edited by

      We havent had the pleasure of having one available to test.

      1 Reply Last reply Reply Quote 0
      • D Offline
        doktornotor Banned
        last edited by

        Christ, we are back to this "oooooooh I've got a supersecret attack to instacrash pfSense"  noise again?

        1 Reply Last reply Reply Quote 0
        • KOMK Offline
          KOM
          last edited by

          If what Supermule is saying is correct, 70-80 Mbps is no tank.  It's like a spit wad pea shooter.

          Well, it really depends on what you have.  70-80 Mbps wouldn't take down my corporate link, but it would totally hammer the links of many smaller companies I know.

          If pfSense really can be taken down by that, that is a huge serious issue.

          Agreed.  However, I will reserve judgement until I see more than hand-waving.

          1 Reply Last reply Reply Quote 0
          • S Offline
            Supermule Banned
            last edited by

            Send me an IP address to test….

            Then I will surprise you.

            1 Reply Last reply Reply Quote 0
            • N Offline
              NOYB
              last edited by

              @KOM:

              Well, it really depends on what you have.  70-80 Mbps wouldn't take down my corporate link, but it would totally hammer the links of many smaller companies I know.

              This is not about taking down the "link" (filling the pipe).  It is about taking down pfSense.  In which case the link (pipe) may as well be down.  The point that is being put forth is that it doesn't matter that you have gigabit + pipe when it only takes about 70-80 Mbps to take down pfSense.  Rendering the pipe useless.

              @KOM:

              I will reserve judgement until I see more than hand-waving.

              Supermule has made the offer to prove it.  What are you waiting for?  Accept the challenge.

              Supermule has made the offer to prove this several times in this thread.  Would someone please take the challenge.  I would but don't have 70-80 Mbps of bandwidth.

              1 Reply Last reply Reply Quote 0
              • KOMK Offline
                KOM
                last edited by

                What are you waiting for?  Accept the challenge.

                I already did and didn't see what he was talking about.  He blasted me with a sustained 90 Mbps, my link max.  Our access was slow and I was getting service alarms from our external sensors, but pfSense was responsive.  I didn't see anything that I wouldn't already expect to see while under DoS.  He wanted to try another test where he blasts a port-forwarded server but I didn't have time or patience today for that.

                1 Reply Last reply Reply Quote 0
                • S Offline
                  Supermule Banned
                  last edited by

                  From the outside, his link was taken down immediately and it didnt respond to ping at all.

                  And that was on a pfsense that had NO port forwards set.

                  If it had a server behind and actually trying to route it, then his GUI would be hit as well.

                  1 Reply Last reply Reply Quote 0
                  • KOMK Offline
                    KOM
                    last edited by

                    But why would the GUI be slow?  While under full load, my CPU never rose above a few percent.  Minor disk activity.

                    I do think it would be nice for someone official to chime in either way.

                    1 Reply Last reply Reply Quote 0
                    • S Offline
                      Supermule Banned
                      last edited by

                      Exactly. It doesnt but it takes you offline even if it shouldnt…. but wait until you actually have a route to a server.

                      Then the load will be very visible in the GUI. Even if very few states and not much load is on the system.

                      You will see it in traffic graphs among other things, that they dont update as it should. There could be as much as 10 seconds between the graph update when hit.

                      1 Reply Last reply Reply Quote 0
                      • KOMK Offline
                        KOM
                        last edited by

                        It doesnt but it takes you offline even if it shouldnt….

                        Maybe I'm misunderstanding something, but yes, I do fully expect to be blown off the network if you flood my WAN.  That's a DoS by definition, is it not?

                        1 Reply Last reply Reply Quote 0
                        • N Offline
                          NOYB
                          last edited by

                          @KOM:

                          It doesnt but it takes you offline even if it shouldnt….

                          Maybe I'm misunderstanding something, but yes, I do fully expect to be blown off the network if you flood my WAN.  That's a DoS by definition, is it not?

                          I think the point here is that if pfSense can be knocked off with as little as 70-80 mbps, a gigabit pipe doesn't need to be flooded.  It's not about flooding the pipe.

                          Maybe not a problem for those with less bandwidth.  But for those with huge pipe, gigabit or more even, it would make it very easy for an attack to knock them offline with as little as 70-80 mbps.  No where near saturating at gigabit pipe.  Easy prey for an attacker.  Wouldn't even have to allocate much resources.

                          Yes it would be nice to hear from someone official.  If they where informed of this 2 to 3 months ago, and not responded, why do you supposed that would be.

                          1 Reply Last reply Reply Quote 0
                          • S Offline
                            Supermule Banned
                            last edited by

                            They were. CMB promised to get back to us but havent.

                            1 Reply Last reply Reply Quote 0
                            • K Offline
                              kejianshi
                              last edited by

                              I'm not sure what you expect man…  A daily post from CMB saying he hasn't solved your issue yet?

                              1 Reply Last reply Reply Quote 0
                              • S Offline
                                Supermule Banned
                                last edited by

                                No….but maybe some updates to what they find or not find??

                                Maybe hints to what could be done to minimize impact by adding things to system -> tunables??

                                1 Reply Last reply Reply Quote 0
                                • K Offline
                                  kejianshi
                                  last edited by

                                  My impression thus far is there is nothing they have been able to figure out because its a OS issue.  I know they talked abit about it and posted about it in the past after someone took down their store website especially.  I wouldn't expect a whole bunch of talk from them until they figure it out which will probably happen when the OS gets patched.  Thats my guess.

                                  Generally speaking though, I think you want a specialized DDOS prevention service between your routers and the internet.

                                  Be careful with that too.  A couple days ago our DDOS protection got mysteriously hyper-sensitive and started blocking most everything!

                                  1 Reply Last reply Reply Quote 0
                                  • H Offline
                                    Harvy66
                                    last edited by

                                    @KOM:

                                    What are you waiting for?  Accept the challenge.

                                    I already did and didn't see what he was talking about.  He blasted me with a sustained 90 Mbps, my link max.  Our access was slow and I was getting service alarms from our external sensors, but pfSense was responsive.  I didn't see anything that I wouldn't already expect to see while under DoS.  He wanted to try another test where he blasts a port-forwarded server but I didn't have time or patience today for that.

                                    Ahh, some new info that I haven't heard of until now. In the youtube videos of his own machine, small amounts of bandwidth was doing a lot more than just reducing bandwidth. But against your box, assuming the same attack, it didn't do much of anything than just eat some bandwidth.

                                    I wouldn't mind participating in being a guinea pig for a short bit. I would like to see if any value below 95Mb can render by 100Mb connection dead.

                                    1 Reply Last reply Reply Quote 0
                                    • S Offline
                                      Supermule Banned
                                      last edited by

                                      Send me a PM :)

                                      1 Reply Last reply Reply Quote 0
                                      • H Offline
                                        Harvy66
                                        last edited by

                                        I just suddenly thought it would be funny if the issue was the logging caused by the default block rules was spamming his log and hanging the system, with the abrupt swings caused by the system attempting to make room in the log.

                                        I think we covered this at one point, but I'm in a daze from lack of sleep and a busy week…. And Monday is tomorrow.. uhggg.

                                        1 Reply Last reply Reply Quote 0
                                        • H Offline
                                          Harvy66
                                          last edited by

                                          supermule ran the test on me and my wife got angry, I was having fun.

                                          It started off like this, about 70Mb/s of traffic coming in and my WAN dropped out

                                          After a tens more seconds, it got worse

                                          Overall CPU usage seems low during this time, but part way through, really really bad things started to happen. I could not even talk to my admin interface.

                                          This was all during the sub max bandwidth test of around 70Mb or less.

                                          Eventually it transitioned into a bandwidth DDOS which maxed out my connection. PFSense started to respond again, but the Internet was mostly dead as expected when you have no bandwidth

                                          The first quite of tests were the worst. The low bandwidth test made the entire PFSense box unresponsive

                                          During the first tests, when PFSense was responding, it claimed CPU usage was low and System Activity looked normal.

                                          During the high bandwidth test, CPU usage was high, but at-least PFSense was responding correctly.

                                          1 Reply Last reply Reply Quote 0
                                          • S Offline
                                            Supermule Banned
                                            last edited by

                                            Your box died using specific low bandwith scripts as predicted. Low bandwith script not using your CPU either.

                                            You box got more responsive using SSYN but using larger packet size. 100mbit traffic….

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.