What is the biggest attack in GBPS you stopped
-
From the outside, his link was taken down immediately and it didnt respond to ping at all.
And that was on a pfsense that had NO port forwards set.
If it had a server behind and actually trying to route it, then his GUI would be hit as well.
-
But why would the GUI be slow? While under full load, my CPU never rose above a few percent. Minor disk activity.
I do think it would be nice for someone official to chime in either way.
-
Exactly. It doesnt but it takes you offline even if it shouldnt…. but wait until you actually have a route to a server.
Then the load will be very visible in the GUI. Even if very few states and not much load is on the system.
You will see it in traffic graphs among other things, that they dont update as it should. There could be as much as 10 seconds between the graph update when hit.
-
It doesnt but it takes you offline even if it shouldnt….
Maybe I'm misunderstanding something, but yes, I do fully expect to be blown off the network if you flood my WAN. That's a DoS by definition, is it not?
-
@KOM:
It doesnt but it takes you offline even if it shouldnt….
Maybe I'm misunderstanding something, but yes, I do fully expect to be blown off the network if you flood my WAN. That's a DoS by definition, is it not?
I think the point here is that if pfSense can be knocked off with as little as 70-80 mbps, a gigabit pipe doesn't need to be flooded. It's not about flooding the pipe.
Maybe not a problem for those with less bandwidth. But for those with huge pipe, gigabit or more even, it would make it very easy for an attack to knock them offline with as little as 70-80 mbps. No where near saturating at gigabit pipe. Easy prey for an attacker. Wouldn't even have to allocate much resources.
Yes it would be nice to hear from someone official. If they where informed of this 2 to 3 months ago, and not responded, why do you supposed that would be.
-
They were. CMB promised to get back to us but havent.
-
I'm not sure what you expect man… A daily post from CMB saying he hasn't solved your issue yet?
-
No….but maybe some updates to what they find or not find??
Maybe hints to what could be done to minimize impact by adding things to system -> tunables??
-
My impression thus far is there is nothing they have been able to figure out because its a OS issue. I know they talked abit about it and posted about it in the past after someone took down their store website especially. I wouldn't expect a whole bunch of talk from them until they figure it out which will probably happen when the OS gets patched. Thats my guess.
Generally speaking though, I think you want a specialized DDOS prevention service between your routers and the internet.
Be careful with that too. A couple days ago our DDOS protection got mysteriously hyper-sensitive and started blocking most everything!
-
@KOM:
What are you waiting for? Accept the challenge.
I already did and didn't see what he was talking about. He blasted me with a sustained 90 Mbps, my link max. Our access was slow and I was getting service alarms from our external sensors, but pfSense was responsive. I didn't see anything that I wouldn't already expect to see while under DoS. He wanted to try another test where he blasts a port-forwarded server but I didn't have time or patience today for that.
Ahh, some new info that I haven't heard of until now. In the youtube videos of his own machine, small amounts of bandwidth was doing a lot more than just reducing bandwidth. But against your box, assuming the same attack, it didn't do much of anything than just eat some bandwidth.
I wouldn't mind participating in being a guinea pig for a short bit. I would like to see if any value below 95Mb can render by 100Mb connection dead.
-
Send me a PM :)
-
I just suddenly thought it would be funny if the issue was the logging caused by the default block rules was spamming his log and hanging the system, with the abrupt swings caused by the system attempting to make room in the log.
I think we covered this at one point, but I'm in a daze from lack of sleep and a busy week…. And Monday is tomorrow.. uhggg.
-
supermule ran the test on me and my wife got angry, I was having fun.
It started off like this, about 70Mb/s of traffic coming in and my WAN dropped out
After a tens more seconds, it got worse
Overall CPU usage seems low during this time, but part way through, really really bad things started to happen. I could not even talk to my admin interface.
This was all during the sub max bandwidth test of around 70Mb or less.
Eventually it transitioned into a bandwidth DDOS which maxed out my connection. PFSense started to respond again, but the Internet was mostly dead as expected when you have no bandwidth
The first quite of tests were the worst. The low bandwidth test made the entire PFSense box unresponsive
During the first tests, when PFSense was responding, it claimed CPU usage was low and System Activity looked normal.
During the high bandwidth test, CPU usage was high, but at-least PFSense was responding correctly.
-
Your box died using specific low bandwith scripts as predicted. Low bandwith script not using your CPU either.
You box got more responsive using SSYN but using larger packet size. 100mbit traffic….
-
I noticed the dashboard didn't show "70Mb" anywhere, but I did see it on the Traffic Graph which I should have kept. You can see the first spike of blocked traffic being around 70Mb. I had to reboot to get RRD sampling again, the service seems to have stopped working, but I think that has been discussed elsewhere and maybe even fixed in 2.2.1.
-
Another thing is that you can monitor your realtime traffic graph updating every second, get slow and starting to update maybe every 10 seconds or so…
-
Very interesting. Now you have my attention.
-
Hello together,
I am pretty new to pfSense and Firewalls such as based on Linux, Unix or BSD
and there was a post where @supermule, @harvy66 & @derelict where making some
interesting comments I really don´t know what was the meaning of them, so sorry if am
asking some silly questions about.I read this post also like another one concerning the DDoS/DoS debate across the forum
and I really has also some questions on top related to this thread here.It seems to only affect UNIX/Linux/BSD distros.
The first thing what I want to know, why a firewall like pfSense and such mOnOwall,
IPCop, IPFire, Untangle, SophosUTM or ZeroShell was compared against the MS Firewall?This is in my eyes a contortion of the whole situation, because the both firewalls are
absolutely working different each from another and so it should not be compared against.I revived an old ISA Server 2006 and testet it out front and it wasnt affected when configured.
The MS Server Firewall is acting as follow: "Nothing comes in, that is not requested from inside"
by blocking it like a tennis ball that is hitting a wall, it purely cant join in.But the pfSense want to let IP packets coming in to inspect them and then let them
going through or the packets will be blocked, but there fore the packets must before
coming in and not like in the other situation rebound at the firewalls NAT service.Is this true or something like this or is this a so called thinking false of mine I am in?
And the second thing is the following I really don´t understand here in this trail.
With the 70 MBit/s traffic thats hitting the pfSense firewall from the outside it
is in my eyes also a problem of the LAN Port or NIC itself and on how many
rules and/or filters are working on this LAN Port or NIC.Its in the OS. Hardware can easily handle it if you got some muscle.
- No name consumer product often feed the CPU and let the CPU doing the entire job of all.
- An Intel consumer NIC with a small chip on it that is saturating many thing by his own
- An Intel Server NIC comes with an DSP (digital signal processor) and does the entire job
itself and is not harming the CPU really hard.
So if you are now testing with 70 MBit/s of DDoS stuff it could really be that this would
smashing down one pfSense device, but another one will take this load and lames only a bit.A ordinary consumer router is doing SPI/NAT and let nothing in, ok perhaps also his
WAN port will be unreachable during the attack, but is not dying or rebooting.You mentioned Windows weathers it better. What about something like a Cisco ASA?
Other firewalls from the well known vendors are mostly going in a so called "hedgehog mode"
by closing the WAN Port and the LAN Ports at an entire count of xyz packet in xyz milliseconds
for so and so long time and then they are opening the interfaces again perhaps this will be
explaining it better because I really think that pfSense is acting in another way, can this be?No matter the cores and memory, pfSense still dies instantly.
If pfSense (NanoBSD image) is installed as read only, so many things are runs in the RAM
and if this RAM is to small or the pfSense is running out of RAM the pfSense firewall is dying
or freezing or like you both call it got rendered down is this right? Or is this only the State
Table size that is running full (39.xxx from 40.000), so that no more entries are able to be
placed in? Or should it be a greater CPU likes the shown Intel Core i-5 cpu or more then
4 cores are needed? -
I think its established by now…
-
BlueKobold, it took down my i5 3.2ghz Haswell quad with 8GB of ram and Intel i350-T2 like nothing. The entire system was rendered unresponsive, while claiming the system had low CPU usage during the brief moments the system was responsive.