On 12.02.18 01:26, Martin Hanson wrote: > Hi, > > I have a home network that is segmented into 3 different zones using a NIC > with 4 ports sitting on an OpenBSD firewall/dhcp server. One port is > connected to the Internet (ISP router) and each of the three others has a > D-Link DGS-1005D switch connected to each. > > So.. > > LAN1 = 192.168.1.0 > LAN2 = 192.168.2.0 > LAN3 = 192.168.3.0 > > Learning more about networking I wanted to test a SYN flood so I set up a > couple of boxes on LAN1 and LAN3 to flood a box on LAN2. I used "hping3" with > the "S" and "flood" options. > > Running a regular ping in a terminal I could see how the response time > decreased and eventually the box began to loose packages. > > However after a while it seemed like the entire internal network went down. > > No box on any LAN could get an IP address from the DHCP server on the OpenBSD > box. > > I eventually rebooted the OpenBSD box, but that didn't immediately help, and > only after powering down the switches and powering the switches on again, > everything worked again. > > I have been looking through the PF documentation to see if PF somehow blocks > SYN flooding, but I am not using synproxy on any rules. > > What could cause such a "melt down" of the entire network because of a SYN > flood to a box? > > I suspect that the D-Link switches are pretty bad and maybe are the cause of > the problem? > > I eventually will try again to see if I can determine what's causing the > "melt down", but I want to know if anyone perhaps has experienced similar > results during some testing? > > Many thanks in advance. > > Kind regards, > > Martin
You run a denial of service attack against your home network. As a result your network denials service. Sounds like you have proven that syn flooding is an effective denial of service attack in your network. Yes, your switches cannot handle the amount of traffic you putting on them. No, your switches are not the problem. Your syn flooding of the network is causing the problem. Cheers, Bruno -- I really hope this whole thing works, I won't be able to test everything beforehand
