Netgate Store

Author Topic: Forum running slow again?  (Read 2648 times)

0 Members and 1 Guest are viewing this topic.

BlueKobold

  • Guest
Re: Forum running slow again?
« Reply #15 on: August 10, 2015, 04:51:57 pm »
Quote
We banned him after this admission.......
So why we can see him even here in the forum if he is banned?

He was only banned, didn't delete his account.

Ahh, my thinking fault, thanks for the enlightenment!

Offline maverick_slo

  • Hero Member
  • *****
  • Posts: 851
  • Karma: +40/-3
    • View Profile
Re: Forum running slow again?
« Reply #16 on: August 11, 2015, 12:48:07 am »
It's kinda funny that one guy with a simple script can bring down your any for that matter any pfsense protected network  ::)
Makes you think...

Offline cmb

  • Hero Member
  • *****
  • Posts: 11226
  • Karma: +899/-7
    • View Profile
    • Chris Buechler
Re: Forum running slow again?
« Reply #17 on: August 11, 2015, 01:45:05 am »
It's kinda funny that one guy with a simple script can bring down your any for that matter any pfsense protected network  ::)
Makes you think...

No, any stateful firewall protected network where you're passing any traffic from untrusted networks. How big of an attack you can take in that case depends on how big of a box you have. To handle the number of new connections/sec that was thrown at us with a Cisco ASA, you'd need one of the two biggest 5585-X models. Starting at about $100K USD. And you wouldn't be too far from their stated new connections limit. Hence the "fundamental misapplication of technology" re: using a stateful firewall to process a DDoS (or DDoS-like traffic, just spoofed source often).

Offline mer

  • Sr. Member
  • ****
  • Posts: 316
  • Karma: +43/-1
  • FreeBSD since 3.3
    • View Profile
Re: Forum running slow again?
« Reply #18 on: August 11, 2015, 06:11:25 am »
cmb/jwt/johnpoz/et al: thanks for getting the problems squared away;  yesterday felt like a junkie trying to get a fix.  :o

It's always about resources.  You can get hardware to handle the raw packet load, but then you spend all your time throwing the bad packets away and not doing any useful work.  5 gallon bucket with a 1 gal/minute drain getting filled at 2 gallons/minute, something has to give.  Getting a bigger bucket delays the inevitable.  Getting a 3 gal/minute drain works until you start filling at 5 gal/minute.

Offline phil.davis

  • Hero Member
  • *****
  • Posts: 4618
  • Karma: +552/-3
    • View Profile
    • International Nepal Fellowship
Re: Forum running slow again?
« Reply #19 on: August 11, 2015, 06:55:59 am »
spoofed-DDOS (sDDOS, a new acronym?) really should be stopped at each ISP before it gets onto the internet backbone:
a) Customers with public IPS:
Each ISP has customers connected and knows what public IPs it has allocated to those customers. If it receives any packets from a customer with a source IP that is not one of the customer's proper allocated public IPs then drop the packet.

b) Customers who are not given public IPs but are in a CGN or similar managed by the ISP and who end up on shared public IPs:
The ISP can filter internally to make sure individual customer packets have source IPs that match the internal IP given to the customer.
In any case the ISP will NAT this stuff out to the public internet so dodgy source IPs will (should) be NATed out to be the ISP public IP. Thus the "spoofed" and "distributed" are not effective. It becomes like an ordinary "DOS".

c) In regions/countries where there are small ISPs that are [not willing|can't be trusted|do not have the technical skill] to do this filtering of traffic from their customers, then the next level up part of the backbone (to which these ISPs connect) should filter traffic, making sure that the source IP of all traffic received from "small and dodgy ISP X" is actually one of the public IPs that is allocated and routed to that ISP.

If that was put in place, then end-customers could not mount spoofed DDOS attacks just from a single place.

They could still do ordinary DOS from 1 or a few of their own source IPs. But that is easier to mitigate because the firewall can have pass rules that limit the number of new connections per second from each source IP and quickly start dropping the incoming SYN packets without creating state... - which should be much less processor intensive and not fill the state table.

And of course if someone has a bot that that they have managed to get installed in 1 million hosts via some malware then they can mount a real DDOS, rather than sDDOS.
As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/