PF Publication about the vulnerability of PF to DoS attacks.

But your OpenBSD PF firewall is still keeping state for that traffic your host rate-limited or dropped, and that state can (and will) add up, especially for UDP traffic.
Click to expand...

So why allow UDP at all? It seems to be abused commonly. I don't allow it.

For large infrastructure where UDP might be required take extra precautions.
The protocol is a cesspool used by miscreants. No Ping? Oh well.
 
UDP is not the problem. The "problem" is abuse. TCP with it's connection orientation can be worse. TCP connections typically hang around for a while even after it's been closed.

If you have to expose a service to the internet at large like DNS, it really doesn't matter if it's UDP or TCP or "whatever else protocol", if someone wants to target it, they will.

Reading the link, one could easily argue "any stateful firewall including Cisco is probably vulnerable". Stateful firewalls keep state, they keep it around for "X" amount of time, if inbound traffic exceeds that limit then you have a potential for running out of state memory.

Honestly, reading the link a few times I get the feeling "OMG If I really really overload the firewall I can DOS it!" Well, duh, that's the definition of a DOS.

Now is it possible that expired states in PF are not being cleaned up correctly? Perhaps, but UDP and TCP have some weird timeouts according to the RFCs, so one could either be in accordance to the specs or work mostly in accordance to the specs.
 
Thats the beauty of PF you can change the defaults.
I like to slam window shut sooner.
Code: 
set timeout tcp.closing 60
set timeout tcp.finwait 60
set timeout tcp.closed 30
I am sure UDP can be tuned too.

To me DDOS really more apt to affect high volume websites. Not so much Joe Blow.
Also static IP network more vulnerable.

So host website in cloud with no UDP.
A hardened webserver is a FreeBSD specialty.
 
Phishfry said:
Can't you blackhole IP's with pf tables too? Also blacklistd works in conjunction with PF.

blacklistd(8)

man.freebsd.org man.freebsd.org
Click to expand...
To the best of my knowledge, yes you can. Effectively have a table "deny from these IPs" is trivial to use in PF.
Phishfry said:
So host website in cloud with no UDP.
Click to expand...
Simple to say, but it depends.
If you really mean "Don't allow incoming UDP services" that is different but you need to be careful about "what". DNS by default is UDP, no? "Website" defaults to http/https which is TCP based.

It all boils down to:
If you are exposing something to the public internet, you must sit down and really think through all the security implications.

Anything I write is pretty much my opinion, others may agree or disagree.
 
mer said:
If you are exposing something to the public internet, you must sit down and really think through all the security implications.
Click to expand...
Well that was really my point. if you are depending on only one layer of protection you have already lost.
Layered security. I also run syslog-ng for the superb network wide reporting. Tripwire on the firewall.
Those are the things that make me feel like I know whats happening.

When I was tinkering with those tcp close states I was simply bored and watching pflog too much.....
You do need to know whats flowing. Tinkering too much with timeouts could make things worse.

I really was saying UDP when I meant ICMP. Sorry. I also use DDOS as DOS because DOS=Disk Operating System
 
  • Like
Reactions: mer
You must log in or register to reply here.
Back
Top