Syn flood crashed my LAN

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Syn flood crashed my LAN

Martin Hanson
Hi,

I have a home network that is segmented into 3 different zones using a NIC with 4 ports sitting on an OpenBSD firewall/dhcp server. One port is connected to the Internet (ISP router) and each of the three others has a D-Link DGS-1005D switch connected to each.

So..

LAN1 = 192.168.1.0
LAN2 = 192.168.2.0
LAN3 = 192.168.3.0

Learning more about networking I wanted to test a SYN flood so I set up a couple of boxes on LAN1 and LAN3 to flood a box on LAN2. I used "hping3" with the "S" and "flood" options.

Running a regular ping in a terminal I could see how the response time decreased and eventually the box began to loose packages.

However after a while it seemed like the entire internal network went down.

No box on any LAN could get an IP address from the DHCP server on the OpenBSD box.

I eventually rebooted the OpenBSD box, but that didn't immediately help, and only after powering down the switches and powering the switches on again, everything worked again.

I have been looking through the PF documentation to see if PF somehow blocks SYN flooding, but I am not using synproxy on any rules.

What could cause such a "melt down" of the entire network because of a SYN flood to a box?

I suspect that the D-Link switches are pretty bad and maybe are the cause of the problem?

I eventually will try again to see if I can determine what's causing the "melt down", but I want to know if anyone perhaps has experienced similar results during some testing?

Many thanks in advance.

Kind regards,

Martin

Reply | Threaded
Open this post in threaded view
|

Re: Syn flood crashed my LAN

Martin Hanson
Reply | Threaded
Open this post in threaded view
|

Re: Syn flood crashed my LAN

Bruno Flueckiger
In reply to this post by Martin Hanson
On 12.02.18 01:26, Martin Hanson wrote:

> Hi,
>
> I have a home network that is segmented into 3 different zones using a NIC with 4 ports sitting on an OpenBSD firewall/dhcp server. One port is connected to the Internet (ISP router) and each of the three others has a D-Link DGS-1005D switch connected to each.
>
> So..
>
> LAN1 = 192.168.1.0
> LAN2 = 192.168.2.0
> LAN3 = 192.168.3.0
>
> Learning more about networking I wanted to test a SYN flood so I set up a couple of boxes on LAN1 and LAN3 to flood a box on LAN2. I used "hping3" with the "S" and "flood" options.
>
> Running a regular ping in a terminal I could see how the response time decreased and eventually the box began to loose packages.
>
> However after a while it seemed like the entire internal network went down.
>
> No box on any LAN could get an IP address from the DHCP server on the OpenBSD box.
>
> I eventually rebooted the OpenBSD box, but that didn't immediately help, and only after powering down the switches and powering the switches on again, everything worked again.
>
> I have been looking through the PF documentation to see if PF somehow blocks SYN flooding, but I am not using synproxy on any rules.
>
> What could cause such a "melt down" of the entire network because of a SYN flood to a box?
>
> I suspect that the D-Link switches are pretty bad and maybe are the cause of the problem?
>
> I eventually will try again to see if I can determine what's causing the "melt down", but I want to know if anyone perhaps has experienced similar results during some testing?
>
> Many thanks in advance.
>
> Kind regards,
>
> Martin

You run a denial of service attack against your home network. As a
result your network denials service. Sounds like you have proven that
syn flooding is an effective denial of service attack in your network.

Yes, your switches cannot handle the amount of traffic you putting on
them.

No, your switches are not the problem. Your syn flooding of the
network is causing the problem.

Cheers,
Bruno

--
I really hope this whole thing works,
I won't be able to test everything beforehand

Reply | Threaded
Open this post in threaded view
|

Re: Syn flood crashed my LAN

Martijn van Duren-6
In reply to this post by Martin Hanson
Try -current[0]. I think henning will be glad to hear how his new toy
works in the field.

martijn@

[0] https://marc.info/?l=openbsd-cvs&m=151796069324365&w=2

On 02/12/18 01:26, Martin Hanson wrote:

> Hi,
>
> I have a home network that is segmented into 3 different zones using a NIC with 4 ports sitting on an OpenBSD firewall/dhcp server. One port is connected to the Internet (ISP router) and each of the three others has a D-Link DGS-1005D switch connected to each.
>
> So..
>
> LAN1 = 192.168.1.0
> LAN2 = 192.168.2.0
> LAN3 = 192.168.3.0
>
> Learning more about networking I wanted to test a SYN flood so I set up a couple of boxes on LAN1 and LAN3 to flood a box on LAN2. I used "hping3" with the "S" and "flood" options.
>
> Running a regular ping in a terminal I could see how the response time decreased and eventually the box began to loose packages.
>
> However after a while it seemed like the entire internal network went down.
>
> No box on any LAN could get an IP address from the DHCP server on the OpenBSD box.
>
> I eventually rebooted the OpenBSD box, but that didn't immediately help, and only after powering down the switches and powering the switches on again, everything worked again.
>
> I have been looking through the PF documentation to see if PF somehow blocks SYN flooding, but I am not using synproxy on any rules.
>
> What could cause such a "melt down" of the entire network because of a SYN flood to a box?
>
> I suspect that the D-Link switches are pretty bad and maybe are the cause of the problem?
>
> I eventually will try again to see if I can determine what's causing the "melt down", but I want to know if anyone perhaps has experienced similar results during some testing?
>
> Many thanks in advance.
>
> Kind regards,
>
> Martin
>

Reply | Threaded
Open this post in threaded view
|

Re: Syn flood crashed my LAN

Tom Smyth
In reply to this post by Martin Hanson
Martin,

Depending on the type of box you have and amount of Ram on your box
(throw Resources at the problem and hope that the resources > than the attack

I would look at PF Limits and increase the maximum amount of states in
the firewall

it is 10000 by default...which is on the low side(in my humble opinion)
  check man pf.conf for more details on limits


There have been a number of improvements to syn flood handling made by henning
so you can try -current if you want to see further improvements
Regards,

Tom Smyth

On 12 February 2018 at 00:26, Martin Hanson <[hidden email]> wrote:

> Hi,
>
> I have a home network that is segmented into 3 different zones using a NIC with 4 ports sitting on an OpenBSD firewall/dhcp server. One port is connected to the Internet (ISP router) and each of the three others has a D-Link DGS-1005D switch connected to each.
>
> So..
>
> LAN1 = 192.168.1.0
> LAN2 = 192.168.2.0
> LAN3 = 192.168.3.0
>
> Learning more about networking I wanted to test a SYN flood so I set up a couple of boxes on LAN1 and LAN3 to flood a box on LAN2. I used "hping3" with the "S" and "flood" options.
>
> Running a regular ping in a terminal I could see how the response time decreased and eventually the box began to loose packages.
>
> However after a while it seemed like the entire internal network went down.
>
> No box on any LAN could get an IP address from the DHCP server on the OpenBSD box.
>
> I eventually rebooted the OpenBSD box, but that didn't immediately help, and only after powering down the switches and powering the switches on again, everything worked again.
>
> I have been looking through the PF documentation to see if PF somehow blocks SYN flooding, but I am not using synproxy on any rules.
>
> What could cause such a "melt down" of the entire network because of a SYN flood to a box?
>
> I suspect that the D-Link switches are pretty bad and maybe are the cause of the problem?
>
> I eventually will try again to see if I can determine what's causing the "melt down", but I want to know if anyone perhaps has experienced similar results during some testing?
>
> Many thanks in advance.
>
> Kind regards,
>
> Martin
>



--
Kindest regards,
Tom Smyth

Mobile: +353 87 6193172
The information contained in this E-mail is intended only for the
confidential use of the named recipient. If the reader of this message
is not the intended recipient or the person responsible for
delivering it to the recipient, you are hereby notified that you have
received this communication in error and that any review,
dissemination or copying of this communication is strictly prohibited.
If you have received this in error, please notify the sender
immediately by telephone at the number above and erase the message
You are requested to carry out your own virus check before
opening any attachment.

Reply | Threaded
Open this post in threaded view
|

Re: Syn flood crashed my LAN

Tom Smyth
In reply to this post by Martin Hanson
Regards D-Link... I would recommend that you use
a decent managed switch (based on Tech Specs as opposed
to Branding,
you can pick up cost effective ubnt edgeswitches or
Tplink (fully managed Switches) which would offer linerate switching
or if you want to have a branded switch get one second hand for best value

By the way... if you are doubting the switch (and you dont have tech specs
of the switch or you cant monitor it ..  or get counters  off it ...
then there is no doubt ...  :)
Regards,

Tom Smyth

On 12 February 2018 at 00:26, Martin Hanson <[hidden email]> wrote:

> Hi,
>
> I have a home network that is segmented into 3 different zones using a NIC with 4 ports sitting on an OpenBSD firewall/dhcp server. One port is connected to the Internet (ISP router) and each of the three others has a D-Link DGS-1005D switch connected to each.
>
> So..
>
> LAN1 = 192.168.1.0
> LAN2 = 192.168.2.0
> LAN3 = 192.168.3.0
>
> Learning more about networking I wanted to test a SYN flood so I set up a couple of boxes on LAN1 and LAN3 to flood a box on LAN2. I used "hping3" with the "S" and "flood" options.
>
> Running a regular ping in a terminal I could see how the response time decreased and eventually the box began to loose packages.
>
> However after a while it seemed like the entire internal network went down.
>
> No box on any LAN could get an IP address from the DHCP server on the OpenBSD box.
>
> I eventually rebooted the OpenBSD box, but that didn't immediately help, and only after powering down the switches and powering the switches on again, everything worked again.
>
> I have been looking through the PF documentation to see if PF somehow blocks SYN flooding, but I am not using synproxy on any rules.
>
> What could cause such a "melt down" of the entire network because of a SYN flood to a box?
>
> I suspect that the D-Link switches are pretty bad and maybe are the cause of the problem?
>
> I eventually will try again to see if I can determine what's causing the "melt down", but I want to know if anyone perhaps has experienced similar results during some testing?
>
> Many thanks in advance.
>
> Kind regards,
>
> Martin
>



--
Kindest regards,
Tom Smyth

Mobile: +353 87 6193172
The information contained in this E-mail is intended only for the
confidential use of the named recipient. If the reader of this message
is not the intended recipient or the person responsible for
delivering it to the recipient, you are hereby notified that you have
received this communication in error and that any review,
dissemination or copying of this communication is strictly prohibited.
If you have received this in error, please notify the sender
immediately by telephone at the number above and erase the message
You are requested to carry out your own virus check before
opening any attachment.

Reply | Threaded
Open this post in threaded view
|

Re: Syn flood crashed my LAN

Rupert Gallagher
In reply to this post by Bruno Flueckiger
From my seat, he learned that his configuration of PF lacks SYN flooding protection. He also learned that he needs a managed switch: cisco SF and SG series are affordable and deliver ddos protection.

Sent from ProtonMail Mobile

On Mon, Feb 12, 2018 at 07:22, Bruno Flueckiger <[hidden email]> wrote:

> On 12.02.18 01:26, Martin Hanson wrote: > Hi, > > I have a home network that is segmented into 3 different zones using a NIC with 4 ports sitting on an OpenBSD firewall/dhcp server. One port is connected to the Internet (ISP router) and each of the three others has a D-Link DGS-1005D switch connected to each. > > So.. > > LAN1 = 192.168.1.0 > LAN2 = 192.168.2.0 > LAN3 = 192.168.3.0 > > Learning more about networking I wanted to test a SYN flood so I set up a couple of boxes on LAN1 and LAN3 to flood a box on LAN2. I used "hping3" with the "S" and "flood" options. > > Running a regular ping in a terminal I could see how the response time decreased and eventually the box began to loose packages. > > However after a while it seemed like the entire internal network went down. > > No box on any LAN could get an IP address from the DHCP server on the OpenBSD box. > > I eventually rebooted the OpenBSD box, but that didn't immediately help, and only after powering down the switches and powering the switches on again, everything worked again. > > I have been looking through the PF documentation to see if PF somehow blocks SYN flooding, but I am not using synproxy on any rules. > > What could cause such a "melt down" of the entire network because of a SYN flood to a box? > > I suspect that the D-Link switches are pretty bad and maybe are the cause of the problem? > > I eventually will try again to see if I can determine what's causing the "melt down", but I want to know if anyone perhaps has experienced similar results during some testing? > > Many thanks in advance. > > Kind regards, > > Martin You run a denial of service attack against your home network. As a result your network denials service. Sounds like you have proven that syn flooding is an effective denial of service attack in your network. Yes, your switches cannot handle the amount of traffic you putting on them. No, your switches are not the problem. Your syn flooding of the network is causing the problem. Cheers, Bruno -- I really hope this whole thing works, I won't be able to test everything beforehand
Reply | Threaded
Open this post in threaded view
|

Re: Syn flood crashed my LAN

Stuart Henderson
In reply to this post by Tom Smyth
On 2018-02-12, Tom Smyth <[hidden email]> wrote:
> Regards D-Link... I would recommend that you use
> a decent managed switch (based on Tech Specs as opposed
> to Branding,
> you can pick up cost effective ubnt edgeswitches or
> Tplink (fully managed Switches) which would offer linerate switching
> or if you want to have a branded switch get one second hand for best value

They're all use one of a couple of pretty similar switch chips anyway.

Without doing more to figure out *how* it broke I don't think it's possible
to say that one brand is going to react better than another.


Reply | Threaded
Open this post in threaded view
|

Re: Syn flood crashed my LAN

Tom Smyth
Agreed about ubnt vs tplink vs cisco... most use either broadcom or marvel
chipsets  Stuart

I was sugesting based on rated performance of the chipsets in the
datasheets  of the managed switch... as opposed to a cheap un managed
one.... the other thing i for got to mention which was part of my advice
was that the ability to check counters on each interface can indicate where
the packets are being dropped are the being dropped beween switch ports or
on the open bas firewall etc






On 12 Feb 2018 1:59 PM, "Stuart Henderson" <[hidden email]> wrote:

> On 2018-02-12, Tom Smyth <[hidden email]> wrote:
> > Regards D-Link... I would recommend that you use
> > a decent managed switch (based on Tech Specs as opposed
> > to Branding,
> > you can pick up cost effective ubnt edgeswitches or
> > Tplink (fully managed Switches) which would offer linerate switching
> > or if you want to have a branded switch get one second hand for best
> value
>
> They're all use one of a couple of pretty similar switch chips anyway.
>
> Without doing more to figure out *how* it broke I don't think it's possible
> to say that one brand is going to react better than another.
>
>
>