From my seat, he learned that his configuration of PF lacks SYN flooding protection. He also learned that he needs a managed switch: cisco SF and SG series are affordable and deliver ddos protection.
Sent from ProtonMail Mobile On Mon, Feb 12, 2018 at 07:22, Bruno Flueckiger <inform...@gmx.net> wrote: > On 12.02.18 01:26, Martin Hanson wrote: > Hi, > > I have a home network that > is segmented into 3 different zones using a NIC with 4 ports sitting on an > OpenBSD firewall/dhcp server. One port is connected to the Internet (ISP > router) and each of the three others has a D-Link DGS-1005D switch connected > to each. > > So.. > > LAN1 = 192.168.1.0 > LAN2 = 192.168.2.0 > LAN3 = > 192.168.3.0 > > Learning more about networking I wanted to test a SYN flood > so I set up a couple of boxes on LAN1 and LAN3 to flood a box on LAN2. I used > "hping3" with the "S" and "flood" options. > > Running a regular ping in a > terminal I could see how the response time decreased and eventually the box > began to loose packages. > > However after a while it seemed like the entire > internal network went down. > > No box on any LAN could get an IP address > from the DHCP server on the OpenBSD box. > > I eventually rebooted the > OpenBSD box, but that didn't immediately help, and only after powering down > the switches and powering the switches on again, everything worked again. > > > I have been looking through the PF documentation to see if PF somehow blocks > SYN flooding, but I am not using synproxy on any rules. > > What could cause > such a "melt down" of the entire network because of a SYN flood to a box? > > > I suspect that the D-Link switches are pretty bad and maybe are the cause of > the problem? > > I eventually will try again to see if I can determine what's > causing the "melt down", but I want to know if anyone perhaps has experienced > similar results during some testing? > > Many thanks in advance. > > Kind > regards, > > Martin You run a denial of service attack against your home > network. As a result your network denials service. Sounds like you have > proven that syn flooding is an effective denial of service attack in your > network. Yes, your switches cannot handle the amount of traffic you putting > on them. No, your switches are not the problem. Your syn flooding of the > network is causing the problem. Cheers, Bruno -- I really hope this whole > thing works, I won't be able to test everything beforehand
