SYN flooding and traffic drop on OPNsense?

Started by Supermule, June 06, 2015, 01:43:39 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 06, 2015, 01:43:39 PM Last Edit: June 06, 2015, 01:47:58 PM by Supermule
Hi guys.

1st post in here since been a long time pfsense user.

I wonder if you could somehow tell me whats causing the traffic drop in this footage.

http://youtu.be/vkx1urFRq_g

The interesting part happens just around the 5 min mark.

Its a SYN ACK flood that causes OPNsense to drop packets. Suddenly traffic drops and packets begin to flow out of nowhere. This is a basic, nothing tuned install and running Unbound.

Bandwith is 300mbit both ways and connected directly to the internet. So no bandwith congestion here.

The flood can be even smaller and opnsense/pf stops routing packets until the traffic drops.

Any inputs would really be appreciated here.
June 09, 2015, 12:06:38 PM #1
It looks like part of the traffic is being dropped due to some buffer or hash table being full. The traffic is really clean-cut, kernel counters would have to be examined in order to pin this down. Is this a SYN flood only or mixed with real traffic? Is real traffic being dropped in a way that services are severely disrupted (TCP connections in particular)? I can see ICMP drops, one would expect that under heavy load such as this (input queue is full). Also, the CPU seems to be stressed out while trying to grab the traffic. Did you run the same with pfSense, and if so how did that differ?

Thanks,
Franco
June 09, 2015, 12:16:26 PM #2
Hi Franco!

I would like to work with you on this since I am a noob bsd guy.

Its a SYN ACK script and yes real traffic is not routing until the traffic drops. Then everything is fine.

Services are gone until it drops.

pfSense is affected the same way.

Quote from: franco on June 09, 2015, 12:06:38 PM
It looks like part of the traffic is being dropped due to some buffer or hash table being full. The traffic is really clean-cut, kernel counters would have to be examined in order to pin this down. Is this a SYN flood only or mixed with real traffic? Is real traffic being dropped in a way that services are severely disrupted (TCP connections in particular)? I can see ICMP drops, one would expect that under heavy load such as this (input queue is full). Also, the CPU seems to be stressed out while trying to grab the traffic. Did you run the same with pfSense, and if so how did that differ?

Thanks,
Franco
June 25, 2015, 04:40:56 PM #3
Hi Supermule,

Like many others who have been following this "dos-and-ddos-attacks", do you know the status of it? Does the problem still exist?  Who if anybody, is working on it for a resolution?

https://forums.freebsd.org/threads/freebsd-pf-and-syn-ack-flooding.51921/

https://forums.freebsd.org/threads/dos-and-ddos-attacks.51899/

https://forum.pfsense.org/index.php?topic=91856.585

Note: I decided to post here because it's a friendlier environment.
June 25, 2015, 05:53:49 PM #4
I have sceduled a test tomorrow with Franco and we will see.

Right now the scripts dont perform very well due to systems getting patched. So not the power in the traffic as before.

Print
Go Up Pages1
User actions