What is the biggest attack in GBPS you stopped
-
I am nice.
But you would be pissed as well if you were accused of things you didnt do.
It goes both ways.
You may have been falsely accused. How you react to this is your choice.
There is a difference that seems to need need stating:
Chris is a co-owner, as am I. You are a guest.
While you are helpful, and respectful, you are welcome here. When that is no longer true, I will (and take this with all the requisite gravitas), remove you from this community. You will not return. I removed my former persona ("gonzopancho") in a way that I could not ever recover, because I found that I could no longer respond in a reasonable manner.
You have been far over "the line" of reasonable response on many occasions. This is your final warning. How you react is your choice.
I think you have value that you can bring, but your behavior in this and other things is, in the balance, largely negative toward the project and its owners.
-
Come on guys…
Clearly there is an issue and it
s not only caused by resource exaustion as cmb says. Mine went down with 3Mbps of traffic and I have 40/100 and 20/20 pipes. Everything went down and he didnt even touch my internal webserver but firewall itself.Why can
t you work together, Im really dissapointed in the way things went on this issue.pfSense is really cool and serious project and forums didn`t let me down since I first posted here (ok besides dok and his sarcasm which I got used to and it amuses me every time hehe ;) ) but I always got help or at least hint where to start.
Open source guys…
My 2c...
The issue is resource exhaustion. The 'attack' (as it were) runs pf out of states. It is not (as some seem to want to state) related to virtualization or (as others seem to want to state) interrupt load on a single CPU.
To my knowledge, Brian has never shared his scripts/code, but we do have what I believe to be similar internally. We have shown (internally)
that the problem is endemic to the pf in FreeBSD. It is not specific to pfSense, or any 'forks' of same. I have not verified that the problem occurs on OpenBSD, or another 'stateful' firewall.The problem is not made worse by the lack of dtrace on the image.
Your disappointment is not inducement to work on the problem, nor am I aware of what you mean by "Open source guys…"
We, or someone else, will eventually fix the issue. It may be quite difficult. The pf codebase is not well-structured.
-
Thing is Chris… Franco is very kind to people.
I dont really dig into the opnsense/pfsense feud since its meaningless.
I see. So is your assertion is that Brian/Supermule on forum.opnsense.org is not the same as Brian/Supermule on forum.pfsense.org?
Because if these are the same, then you said something quite different only two weeks ago:
https://forum.opnsense.org/index.php?topic=581.msg2799#msg2799
I take several issues with what you said:
Issue IMHO is that pfSense is nothing more than a name and logo.
I assert that this is false.
All the code and contributions are open source
This is true, and always has been.
and they want to change that so they can make money of other peoples work and contributions.
We have not changed that pfSense is open source, nor do we "want to change that". Your ugly accusation is false, Brian.
I dont like it and thats why I am here.
This is, of course, your choice, but I don't see why you feel allowed to be two-faced about it without challenge.
-
Its not. Plenty of ressources left as you can see. Its routing and the way pf handles it.
The issue is different.
-
OK, so 45 forum pages later, we have determined that there is a problem in pf that may or may not get fixed by someone sometime, perhaps.
Can we close this thread now already?
-
Regardless of whether or not this low bandwidth DDOS traffic should be stopped upstream, 3 mbps of any kind of traffic should not render a modern business class firewall useless. Period.
The root issue being in FreeBSD pf doesn't changes that. And since pfSense is built on FreeBSD it is by extension a pfSense problem too.
What specific work has the pfSense project done with the FreeBSD project to resolve this specific issue and provide a fix?
-
Regardless of whether or not this low bandwidth DDOS traffic should be stopped upstream, 3 mbps of any kind of traffic should not render a modern business class firewall useless. Period.
The root issue being in FreeBSD pf doesn't changes that. And since pfSense is built on FreeBSD it is by extension a pfSense problem too.
What specific work has the pfSense project done with the FreeBSD project to resolve this specific issue and provide a fix?
I outlined what we've done above. We have, what I believe to be, a similar program which can cause a similar issue.
If we develop a fix, we will attempt to upstream it to FreeBSD.
Right now, nobody is actively working on this "issue", because it is, fundamentally, a misapplication of technology.
-
@KOM:
OK, so 45 forum pages later, we have determined that there is a problem in pf that may or may not get fixed by someone sometime, perhaps.
Can we close this thread now already?
+1
-
@jwt:
Regardless of whether or not this low bandwidth DDOS traffic should be stopped upstream, 3 mbps of any kind of traffic should not render a modern business class firewall useless. Period.
The root issue being in FreeBSD pf doesn't changes that. And since pfSense is built on FreeBSD it is by extension a pfSense problem too.
What specific work has the pfSense project done with the FreeBSD project to resolve this specific issue and provide a fix?
I outlined what we've done above. We have, what I believe to be, a similar program which can cause a similar issue.
If we develop a fix, we will attempt to upstream it to FreeBSD.
Right now, nobody is actively working on this "issue", because it is, fundamentally, a misapplication of technology.
Is there a bug report with freebsd so we can keep tabs on it?
-
Is there a bug report with freebsd so we can keep tabs on it?
Read this post: FreeBSD/pf and SYN ACK flooding. Then you'll understand why there's no upstream bug anywhere. (Unlike here, they've been able to stop the nonsense in just a single page, not 45 and counting… ::))
-
@jwt:
Regardless of whether or not this low bandwidth DDOS traffic should be stopped upstream, 3 mbps of any kind of traffic should not render a modern business class firewall useless. Period.
The root issue being in FreeBSD pf doesn't changes that. And since pfSense is built on FreeBSD it is by extension a pfSense problem too.
What specific work has the pfSense project done with the FreeBSD project to resolve this specific issue and provide a fix?
I outlined what we've done above. We have, what I believe to be, a similar program which can cause a similar issue.
If we develop a fix, we will attempt to upstream it to FreeBSD.
Right now, nobody is actively working on this "issue", because it is, fundamentally, a misapplication of technology.
So in other words the pfSense project has not done specific work with the FreeBSD project to resolve this specific issue and provide a fix.
Could you please explain the fundamental misapplication of technology?
Thanks
-
Is there a bug report with freebsd so we can keep tabs on it?
Read this post: FreeBSD/pf and SYN ACK flooding. Then you'll understand why there's no upstream bug anywhere. (Unlike here, they've been able to stop the nonsense in just a single page, not 45 and counting… ::))
https://en.wikipedia.org/wiki/SYN_flood
Can we enquire considering the botnet element what solution is being considered?
A few thoughts on this, is if a server/service is behind an ip address where more than 1 ip address is available at a moments notice but not all ip's used, could existing states be maintained, whilst DNS is updated and services moved to another ip address a bit like the multiwan setup where wan1 is incoming and outgoing goes out on Wan2 for example.
If a server/service regularly only handles traffic from a specific region or country, could something like pfblocker be made to block anything from outside that region/country on the fly? I suspect this is why google diverts searchs to their local country domains.
What are the pro's/con's from having a recycled log of good ip addresses that have previously connected in the last x minutes or by some other pattern, which are allowed in automatically whilst the unknown ip addresses perhaps have a shorter timeout or treated with some other caution. Its possible to know that some IP address ranges will have good speed and latency by virtue of who is allocated them, whilst others may not, thinking mobile phone/satellite for the latter, so could something adaptive be considered?
Where would I find the failed ACK's being reported by pfsense in this scenario?
Edit: As theres a fundamental difference between the wiki link and this link http://security.radware.com/knowledge-center/DDoSPedia/syn-ack-flood/
namely the later appears to be exploiting out of order packets and the subsequent overhead processing them, although nothing can stop any amount of bandwidth domination irrespective of what its called be it flooding, (D)Dos, if the attacks by SM have been syn ack floods described in the 2nd link, as PF in freebsd handles this, will this not require a bit of a rewrite of the fundamentals of PF to speed up its handling of this situation? -
Read this post: FreeBSD/pf and SYN ACK flooding. Then you'll understand why there's no upstream bug anywhere. (Unlike here, they've been able to stop the nonsense in just a single page, not 45 and counting… ::))
So he refuses to provide the code that tickles this to FreeBSD's security team until some unknown condition is met. Got it.
-
Read this post: FreeBSD/pf and SYN ACK flooding. Then you'll understand why there's no upstream bug anywhere. (Unlike here, they've been able to stop the nonsense in just a single page, not 45 and counting… ::))
So he refuses to provide the code that tickles this to FreeBSD's security team until some unknown condition is met. Got it.
If its a criminal botnet thats for hire, how can SM hand over the code?
At the same time, because someone has thought to test their own security arrangements by handing over some money to test, in this case pfsense protecting their systems, whilst also possibly testing the forums is not only testing their own security arrangements, but also testing the team behind the security product and the marketing claims.
In my books whilst the methods might be arguably criminal, it does show some level of ingenuity which perhaps shouldnt be denigrated and which is the lessor of two evils, testing the system and claims, or putting out there, duff solutions which threaten even more people and their businesses? 1 business or hundreds or thousands of businesses?
Its an interesting test of various claims none the less and pfsense have come out reasonably well imo, in that their servers are not down offline for any lengthy period of time and we appear to have got to the bottom of the problems with maybe some solutions under foot.
I've been the victim of CEO's lying about their products in the past, shifting blame onto other companies namely Microsoft and when called out for it, posts deleted. Shouldnt CEO's be called out for over hyping claims?
Edit. I am also not connected with SM and whilst I could quote shakespeare at myself, namely thy doth protest too much, the above is just another perspective on the whole situation, whether we like it or not.
-
In my books whilst the methods might be arguably criminal, it does show some level of ingenuity which perhaps shouldnt be denigrated and which is the lessor of two evils, testing the system and claims…
Thanks for giving everyone on the intarweb permission to rootkit all your stuff.
PS–I never particularly liked Shakespeare.
;)
-
Could you please explain the fundamental misapplication of technology?
Tim McManus will recognize some of this because I wrote he and Anthony back in May with very similar words.
If the attack referenced here is what I think it is, then it is potentially represented by the following Perl code (reported by “torontob” to jimp)
#!/usr/bin/perl
synflood.pl - Simple SYN Flooder
Author: iphelix
Requires perl, Net::RawIP module, and root privileges
use Net::RawIP;
if ($#ARGV == 2) {
($src,$dst,$port) = @ARGV;
$a = new Net::RawIP;
while(1) {
$src_port = rand(65534)+1;
$a->set({ip => {saddr => $src,daddr => $dst},tcp => {source => $src_port,dest => $port, syn => 1}});
$a->send;
}
} else {
print "./synflooder source_ip destination_ip destination_port\n";
}We were given similar ‘C’ code that looks like it was written by a 13 year-old unfamiliar with threading which I won't post here.
In any case, the net-net is that some jackass sends a lot of frames with random (or sequential) source port #s and/or source IP addresses. (We have PCAPs.)
The pf “synproxy” stuff is supposed to take care of this, but it doesn't appear to work.
pass in on $ext_if proto tcp to $forum_ip port www synproxy state
In addition to keeping states as recommended by cmb and others upthread, there is some headroom to be had by setting following tunables. (Values are just examples.)
TCP timout settings
#set timeout tcp.first 60
#set timeout tcp.established 86400
#set optimization aggressive
#set timeout { adaptive.start 20000, adaptive.end 220000 }
#set limit states 200000But this is all crap, and the above are, at best, simplistic hacks (mostly by the OpenBSD people) seeking to hide a poor architecture by liberally applying coats of paint.
Firewalls aren't DoS/DDoS mitigation devices, they're staeful policy-enforcement devices. DoS attacks are attacks against capacity and/or state. In this specific case, capacity is the number of states that can be used.
Beyond this, state-full inspection makes no sense at all on a front-end server, where every connection is by definition unsolicited. Harden the OS, harden the apps/services, run a chrooted jail, use tcpwrappers and mod_security and mod_evasive, and use stateless ACLs in an ASIC-based router or even DPDK’s ip_pipleine to enforce access policies.
Given all of these, “pf” is fundamentally a misapplication of technology here.
By placing the server behind the stateful packet filter, you increase its vulnerability due to the potential for exhaustion of the connection table by an attacker. You can use firewalls between the tiers of a multi-tier setup, where you can control the number and types of inbound connections on a bidirectional basis, but no one who operates high-volume publicly-accessible servers puts the the front-end behind a firewall, because it does nothing to increase the security posture, and can actually be harmful.
I also see little of any value in this thread. This serves to re-enforce my opinion that the forum isn’t a good use of my time.
Using the code (above) it’s fairly trivial to run the state table out of states, but an “interrupt storm” is another issue, solved via entirely different path.
To be clear, we’ll look into it (just as we looked into it back in March when Brian/Supermule first involved us in Feb/March). Eventually we'll develop a fix, though it is unlikely to leverage "pf". There are things in "pf", and also in the use "pfSense" makes of "pf" that make any such fix more complex.
Other points:
-
FreeBSD-SA-15:13.tcp has nothing to do with this.
-
I have zero idea what BlueKobold might have meant in the first paragraph of this: https://forum.pfsense.org/index.php?topic=91856.msg540545#msg540545 It looks like a slam ("profiteer"?) to me.(*)
-
In reference to: https://forum.pfsense.org/index.php?topic=91856.msg539912#msg539912 no, it's not a network driver issue
-
https://forum.pfsense.org/index.php?topic=91856.msg539638#msg539638 show us the fix in opnsense, Brian.
To summarize, in this context/thread, we are all being dragged into participating in someone else’s drama. This is never a good idea.
(*) In general, people who make statements like "pfSense is just a GUI on top of FreeBSD" obviously have no idea what they're looking at. Making such statements only shows ignorance. I am working toward an architecture where pfSense is a set of packages on top of FreeBSD, but we are not yet there.
-
-
That would be a very good idea if possible!
Opnsense has this fix done allready and a full release on friday.
I had to register solely for this crap. This is typical opnsense.
So you advertise your "skill" on pfsense forum that has infinitely more users than opnsense forum, refuse to show FreeBSD and pfSense developers how this is being done and then provide the "solution" to opnsense. Wow, that's so opn and open source spirited! I love the fact Franco is behind this, it just proves how low opnsense guys are willing to go.
Unfortunately for Franco and you, opnsense is still light years behind pfSense even with "your" fix.
-
Read this post: FreeBSD/pf and SYN ACK flooding. Then you'll understand why there's no upstream bug anywhere. (Unlike here, they've been able to stop the nonsense in just a single page, not 45 and counting… ::))
So he refuses to provide the code that tickles this to FreeBSD's security team until some unknown condition is met. Got it.
Here's the "brilliant" supermule plan:
1. snoop on some random hacker IRC for ddos tricks
2. reveal your "brilliant" trick on pfSense and freebsd forums in order to gain larger audience
3. ddos pfsense forums with botnet in order to say "I told you so, my trick is real"
4. reveal fix is coming for opnsense which is why opnsense is better, more secure blah blah blah.I bet Franco will try to push his patchwork to FreeBSD : ) equally "brilliant" like opnsense wikipedia page which is written by biased opnsense drones (who btw, constantly try to schedule pfSense wikipedia page for deletion).
Bottom line is, they are using pure scammer tactics in order to get larger userbase for opnsense.
-
Lol
-
@jwt:
. . .
You posted a bunch of good information. Appreciate that.
However it sort of side-steps the point that pfSense can be rendered useless by as little as 3 mbps of traffic. Yes I get that handling DDOS is not the job of a firewall (misapplication of technology). But that doesn't mean a business class firewall shouldn't be expected to withstand a mere 3 mbps attack. Just because it's technically DDOS doesn't automatically mean it's high bandwidth and that a business class firewall shouldn't need to be able and expected to withstand it. I for one would and do expect a business class firewall to withstand such a low bandwidth attack. No 3 mbps of anything should be a problem for such a device.
