What is the biggest attack in GBPS you stopped
-
Supermule: I edited out the accusation that you targeted us.
However it sort of side-steps the point that pfSense can be rendered useless by as little as 3 mbps of traffic.
There is no circumstance in which 3 Mbps of traffic will knock off a system (unless that's enough with your config to exhaust your state table after a bit of time). You keep throwing this 3 Mbps, but no one's actually shown that to be true. Give me a test case.
I ran through the usual test cases there on 2.2.4 tonight, flood of passed traffic, blocked traffic, mix of traffic. Depending on a variety of specifics, it might be more like 60+ Mbps of purely SYNs that are being passed and answered (and RST, so it's not exhausting states) in VMs on my laptop. jIt starts dropping some packets at that point. The virtual setup is limiting things to at least some extent, and introducing variability. Still it's handling a very respectable load by commercial firewall comparison standards. Even logging all blocked packets while getting hit with 60 Mbps of SYNs you're blocking is no problem (granted this is on a system with /var as RAM disk so it's not hammering away at a drive to log it). I'll need to run through the same on physical hardware as well to get best quality results. Messing with TCP flags on floods may have more interesting results judging from some preliminary testing. Certain things definitely reduce performance.
All in all it's not bad by firewall standards. I can push significantly more new connections/sec through a 2 core VM on my laptop than a Cisco ASA 5555-X's stated new connections limit.
-
Franco was the only one willing to help get it upstream and the connection was made when I asked him politely.
Nothing more in it.
Dont make this an opnsense/pfsense feud. Its not. I might have called Cisco instead but their systems are vulnerable to.
I downed the emergency hotline and 2 powerstations when testing at a customer.
While somebody is using a lot of time to write about misuse of application and lots of technical stuff that is suppose to make him look smart, then it doesnt help since pfsense/ESF can be taken offline easily as well.
So either they dont understand their own words, text or product since they are very vulnerable to.
Thats the fact. We have been trying to get ESF involved by setting up freeBSD server to test in their end. Nothing.
So pfsense is vulnerable. All over the world and people using it to host servers behind it, selling hosting is vulnerable.
So stop the name calling. Its just smoke and mirrors to a severe flaw in the eco system.
That would be a very good idea if possible!
Opnsense has this fix done allready and a full release on friday.
I had to register solely for this crap. This is typical opnsense.
So you advertise your "skill" on pfsense forum that has infinitely more users than opnsense forum, refuse to show FreeBSD and pfSense developers how this is being done and then provide the "solution" to opnsense. Wow, that's so opn and open source spirited! I love the fact Franco is behind this, it just proves how low opnsense guys are willing to go.
Unfortunately for Franco and you, opnsense is still light years behind pfSense even with "your" fix.
Dude, thank you! thank you for confirming everything I wrote!
edit: I had to edit this because it's just way too much fun!
Thank you for proving me right, thank you for confirming you worked with Franco on this. Thank you for saying "pfsense is vulnerable"!!!!
-
In the end it takes pfsense offline with 3mb/s traffic.
How many times do I have to ask you to provide useful details? I've yet to see any 3 Mbps of traffic that will do any harm, yet you're still making these claims.
-
Franco was the only one willing to help get it upstream and the connection was made when I asked him politely.
Not true at all. If you would have come to us with an actual useful problem report at any point, even still now, we'll be able to get attention upstream if it's really an issue. Quite possibly get it fixed ourselves, since we have multiple FreeBSD committers on staff. And I'm still absolutely willing to do that, you just refuse.
You can either backup these claims so I can actually do something about it if there is an issue, or I'm just going to ban you as a troll, because these threads are an absurd waste of everyone's time at this point.
-
@cmb
He did it to me after 5 seconds traffic graph stopped at 3.19 mbits…
I dont reall care what happened after 5 seconds but before that there was no more than 3 mbits except if traffic graph was wrong... -
Dont make this an opnsense/pfsense feud.
Who is naming it first likes this? ::)
Its not. I might have called Cisco instead but their systems are vulnerable to.
??? Hey Supermule, you where playing nice well, but at this point I really consider to stop now!
Cisco is a NASDAQ notated company, homed in the USA and if only one stock exchance market
analyst is reading this line above, and writes it down in an stock related newspaper, Cisco will
be able to loose some millions of Dollars a day, a week or a month, and then you could be getting
in contact with their law division and the FBI, for putting out news that manipulates the stocks
notations.For sure if you are willing and able then to present them the method of your combined attack
you will be the lucky one, but if not it will be perhaps a guaranty to rest several years in the
Leavenworth state prison. It is not a must be but, I am pretty sure that Cisco´s CSR-3 for
round about 470.000 € is able to over life your attack. If not all ISP will buy at Friday a 30 €
common consumer router that will be able to over life it surely. So on the other side the stock
notations from ASUS, Netgear, D-Link and Zyxel where shooting through the room ceiling!At this stage I jump out of this thread it is no more and only related to pfSense as I see it
right. If the admins in this forum are not having a quieter look to close or wipe this thread
away, it seems to be a international thread with all well known firewall and router vendors
are jumping in. Nice try but now way :oThank you for saying "pfsense is vulnerable"!!!!
Around ~650 different router models where vulnerable during the last 2 years
and all over the world, by owning one or more back doors in site or something
that could be used as this. And they are all from commercial acting companies.
Over pfSense I was not reading statements such as this at the time -
In my books whilst the methods might be arguably criminal, it does show some level of ingenuity which perhaps shouldnt be denigrated and which is the lessor of two evils, testing the system and claims…
Thanks for giving everyone on the intarweb permission to rootkit all your stuff.
PS–I never particularly liked Shakespeare.
;)
Govt's already do anyway or hadnt you noticed? ;D
Even though we hardly live in a democracy considering how few votes are needed to win, ie majority not represented and you cant undo previous legislation made before you were born or able to vote, which is hardly democratic is it? I'm thinking the US Bill of Rights as one example.
In IT we roll back flawed IT, you dont see that happening in Law do you? They just build upon the bugs, because Law is absolute, which is why prosecutors decide to prosecute in order provide the relativity.
-
@cmb
He did it to me after 5 seconds traffic graph stopped at 3.19 mbits…
I dont reall care what happened after 5 seconds but before that there was no more than 3 mbits except if traffic graph was wrong...Exactly. The notoriously slow and cpu-intensive pfSense traffic graph. That's your measurement tool?
It is trivial to put a real monitoring and data gathering tools between your wan device and the pfSense wan port to see what's really happening.
And do it in a lab to eliminate all the ISP nonsense. Remove as many variables as possible and test the actual asserted problem. The first step in any bug report is providing the steps to duplicate. At least if you want the problem fixed.
-
I did only 1 test with Supermule which proved the point and then I replaced pfsense with other solution until this gets fixed.
I still have pfsense @home but I will test no more because I don`t like the way this thread is going.
If whole pfSense/ESF network is vulnerable so can be my home network, who will target me :) -
Everyone is vulnerable to DDoS, dude. Everyone. Not saying there isn't an issue, but without steps to reproduce it won't get fixed.
-
:D
I didnt work with Franco UNTIL after we didnt get anywhere with pfsense and he is NOT behind this.
After we tried to get ESF involved and push for testing at a rig in their control then they could put the collectad data upstream. But nothing.
I tested Opnsense as a measure to see if it was all systems based on FreeBSD thats vulnerable and that was the way I got in touch with Franco.
I asked him politely if he wanted to help me test and get it upstream and he would.
So pls. dont make assumptions in your own head. It has nothing to do with the real world scenario.
Franco was the only one willing to help get it upstream and the connection was made when I asked him politely.
Nothing more in it.
Dont make this an opnsense/pfsense feud. Its not. I might have called Cisco instead but their systems are vulnerable to.
I downed the emergency hotline and 2 powerstations when testing at a customer.
While somebody is using a lot of time to write about misuse of application and lots of technical stuff that is suppose to make him look smart, then it doesnt help since pfsense/ESF can be taken offline easily as well.
So either they dont understand their own words, text or product since they are very vulnerable to.
Thats the fact. We have been trying to get ESF involved by setting up freeBSD server to test in their end. Nothing.
So pfsense is vulnerable. All over the world and people using it to host servers behind it, selling hosting is vulnerable.
So stop the name calling. Its just smoke and mirrors to a severe flaw in the eco system.
That would be a very good idea if possible!
Opnsense has this fix done allready and a full release on friday.
I had to register solely for this crap. This is typical opnsense.
So you advertise your "skill" on pfsense forum that has infinitely more users than opnsense forum, refuse to show FreeBSD and pfSense developers how this is being done and then provide the "solution" to opnsense. Wow, that's so opn and open source spirited! I love the fact Franco is behind this, it just proves how low opnsense guys are willing to go.
Unfortunately for Franco and you, opnsense is still light years behind pfSense even with "your" fix.
Dude, thank you! thank you for confirming everything I wrote!
edit: I had to edit this because it's just way too much fun!
Thank you for proving me right, thank you for confirming you worked with Franco on this. Thank you for saying "pfsense is vulnerable"!!!!
-
You are quite right.
But DDoS with 3mbit bandwith shouldnt exhaust any router and it did taking everything offline.
Everyone is vulnerable to DDoS, dude. Everyone. Not saying there isn't an issue, but without steps to reproduce it won't get fixed.
-
Thing is Chris.
You accused of downing pfsense/ESF and the forum.
How was it downed and did you do a pcap?
Fact is that it was downed according to you. Why not try and use that pcap and see what was causing it?
@cmb:
Franco was the only one willing to help get it upstream and the connection was made when I asked him politely.
Not true at all. If you would have come to us with an actual useful problem report at any point, even still now, we'll be able to get attention upstream if it's really an issue. Quite possibly get it fixed ourselves, since we have multiple FreeBSD committers on staff. And I'm still absolutely willing to do that, you just refuse.
You can either backup these claims so I can actually do something about it if there is an issue, or I'm just going to ban you as a troll, because these threads are an absurd waste of everyone's time at this point.
-
But if the pfSense traffic graph is the measurement of "3Mbit/s" I call bullshit.
One question:
Why didn't you provide the FreeBSD security team the details of your alleged vulnerability?
-
Thing is Chris.
You accused of downing pfsense/ESF and the forum.
How was it downed and did you do a pcap?
Fact is that it was downed according to you. Why not try and use that pcap and see what was causing it?
I experienced problems one afternoon trying to get on the forum and even reported it, I dont know who or what was behind it, but I can speculate until the cows come home. :D
I then had a hell of job trying different ways to get to the forum, like using proxys based in different parts of Europe.
The proxy based in another country generally was successful at accessing the forum, until I tried to log in, read that as having identified myself, at which point connections were dropped.
I never had a problem at accessing the pfsense website on the different IP address at the same time, in fact it was plain sailling so to speak all along the various ESF IP addresses, but once I displayed a repeatable pattern when accessing the forum thats when access was blocked. Things is, AI is a quick learner.
-
The forum has occasional problems. They feel like database issues to me.
-
The forum has occasional problems. They feel like database issues to me.
Thats one way of putting it.
-
This shit still going on? Supermule, which part of the post I linked you do not get? Absolutely NOONE is interested in YT videos, PM to get (D)DoS-ed and similar bullcrap! Want it being worked on and fixed? Provide the information required! Instead of stupid excuses why not to do so…
-
:D
I didnt work with Franco UNTIL after we didnt get anywhere with pfsense and he is NOT behind this.
After we tried to get ESF involved and push for testing at a rig in their control then they could put the collectad data upstream. But nothing.
I tested Opnsense as a measure to see if it was all systems based on FreeBSD thats vulnerable and that was the way I got in touch with Franco.
I asked him politely if he wanted to help me test and get it upstream and he would.
So pls. dont make assumptions in your own head. It has nothing to do with the real world scenario.
Yea, nice try but I'm not buying it. This thread and the ones on FreeBSD forums prove the opposite. Your plan was to make pfSense look vulnerable to the phantom issue and present opnsense as a better solution.
I'm also beginning to think that this "trick" you refused to share with anyone is actually Franco's idea in the first place, considering his packetwerk background.
Feel free to continue to deny it, keep saying that poor you just tried to help but nobody gave you a chance, but we all know that opnsense promotion was behind all this time. Now it makes sense why you behaved like this, why you refused to share any useful details on the issue. Now it shows how truly corrupt and malicious opnsense people and their drones like you really are.
Thanks once again for proving me right.
-
Why didn't you provide the FreeBSD security team the details of your alleged vulnerability?
crickets
