SYN flooding and traffic drop on OPNsense?

[Supermule]

Hi guys.

1st post in here since been a long time pfsense user.

I wonder if you could somehow tell me whats causing the traffic drop in this footage.

http://youtu.be/vkx1urFRq_g

The interesting part happens just around the 5 min mark.

Its a SYN ACK flood that causes OPNsense to drop packets. Suddenly traffic drops and packets begin to flow out of nowhere. This is a basic, nothing tuned install and running Unbound.

Bandwith is 300mbit both ways and connected directly to the internet. So no bandwith congestion here.

The flood can be even smaller and opnsense/pf stops routing packets until the traffic drops.

Any inputs would really be appreciated here.

[franco]

It looks like part of the traffic is being dropped due to some buffer or hash table being full. The traffic is really clean-cut, kernel counters would have to be examined in order to pin this down. Is this a SYN flood only or mixed with real traffic? Is real traffic being dropped in a way that services are severely disrupted (TCP connections in particular)? I can see ICMP drops, one would expect that under heavy load such as this (input queue is full). Also, the CPU seems to be stressed out while trying to grab the traffic. Did you run the same with pfSense, and if so how did that differ?

Thanks,
Franco

[Supermule]

Hi Franco!

I would like to work with you on this since I am a noob bsd guy.

Its a SYN ACK script and yes real traffic is not routing until the traffic drops. Then everything is fine.

Services are gone until it drops.

pfSense is affected the same way.

It looks like part of the traffic is being dropped due to some buffer or hash table being full. The traffic is really clean-cut, kernel counters would have to be examined in order to pin this down. Is this a SYN flood only or mixed with real traffic? Is real traffic being dropped in a way that services are severely disrupted (TCP connections in particular)? I can see ICMP drops, one would expect that under heavy load such as this (input queue is full). Also, the CPU seems to be stressed out while trying to grab the traffic. Did you run the same with pfSense, and if so how did that differ?

Thanks,
Franco

[nanowall]

Hi Supermule,

Like many others who have been following this “dos-and-ddos-attacks”, do you know the status of it? Does the problem still exist?  Who if anybody, is working on it for a resolution?

https://forums.freebsd.org/threads/freebsd-pf-and-syn-ack-flooding.51921/

https://forums.freebsd.org/threads/dos-and-ddos-attacks.51899/

https://forum.pfsense.org/index.php?topic=91856.585

Note: I decided to post here because it’s a friendlier environment.

[Supermule]

I have sceduled a test tomorrow with Franco and we will see.

Right now the scripts dont perform very well due to systems getting patched. So not the power in the traffic as before.