Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 33
  1. #21
    Untangle Ninja proactivens's Avatar
    Join Date
    Sep 2008
    Location
    Greensburg, Pa
    Posts
    2,362

    Default

    CIO's, geesh.....

  2. #22
    Untangle Ninja hescominsoon's Avatar
    Join Date
    Sep 2007
    Posts
    1,704

    Default

    Quote Originally Posted by dmorris View Post
    Trust me - you want Attack Blocker, unless you want your little box to crash whenever someone runs an nmap. But hey, what do I know?
    if untangle can be crashed by an aggressive nmap scan when running a simple nat i think you have some coding or configuration issues. Not even a little ipcop system is going to get crashed by an nmap scan..and most assuredly a baseline astaro won't either, and that's with their "attack blockers"(ids in ipcop and the ips in astaro both based on snort) turned off.
    Last edited by hescominsoon; 12-23-2008 at 03:19 PM.

  3. #23
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Quote Originally Posted by hescominsoon View Post
    if untangle can be crashed by an aggressive nmap scan when running a simple nat i think you have some coding or configuration issues. Not even a little ipcop system is going to get crashed by an nmap scan..and most assuredly a baseline astaro won't either, and that's with their "attack blockers"(ids in ipcop and the ips in astaro both based on snort) turned off.
    i think you're missing the point. all systems (yes, even the ones you suggested) have session limits. If one user takes all the available sessions no new session can be created and your network loses connectivity. Alternatively, you could ration out sessions as limited resources based on reputations so one user can't monopolize all the resources. Thats what attack blocker does.

    You are free to run without it, but clearly in this guy's use case turning it on is an excellent thing to try because it will decisively point to if # sessions or resource hogging is the issue here.

    (more information here: http://blog.untangle.com/?p=20)
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #24
    Untangle Ninja hescominsoon's Avatar
    Join Date
    Sep 2007
    Posts
    1,704

    Default

    Quote Originally Posted by dmorris View Post
    i think you're missing the point. all systems (yes, even the ones you suggested) have session limits. If one user takes all the available sessions no new session can be created and your network loses connectivity. Alternatively, you could ration out sessions as limited resources based on reputations so one user can't monopolize all the resources. Thats what attack blocker does.

    You are free to run without it, but clearly in this guy's use case turning it on is an excellent thing to try because it will decisively point to if # sessions or resource hogging is the issue here.

    (more information here: http://blog.untangle.com/?p=20)
    not really. Yes they all have limits but none of them require attack blocking software to fend off attacks. Even with an ips on you can still overwhelm the machine. Your statement made it sound like UT HAs to have the ips on in order to remain stable...that is the inference i responded to..

    Also ipcop is basically a nat router at heart and i've run 5k connection on it using p2p on a sub 1ghz machine and 512 megs of ram with the nat on and no tunnels open so you can imagine how many dropped requests i got in return. At no point did the machine get sluggish or unstable.
    Last edited by hescominsoon; 12-23-2008 at 04:11 PM.

  5. #25
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,514

    Default

    Well UT will be stable up until you hit that 10k session limit... then things come to a grinding halt as IPTables locks down the network interfaces. During this process it will sometimes restart the networking service and that can crash the UVM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #26
    Untangle Ninja hescominsoon's Avatar
    Join Date
    Sep 2007
    Posts
    1,704

    Default

    yes..that's an abritary hard limit that was a choice made by UT and i respect that..but that hard limit is the achille's heel for UT

  7. #27
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Quote Originally Posted by hescominsoon View Post
    yes..that's an abritary hard limit that was a choice made by UT and i respect that..but that hard limit is the achille's heel for UT
    they all have them. If you don't believe me, fine! go test them! I sent you a link with a testing program (and test results) for two very common vendors.

    As far as IPCop, of course it doesn't create load on your little box because it doesn't do full layer-7 reconstruction on every session, much less have per-session threading. You can equivalently run '/etc/init.d/untangle-vm stop' if you'd like to run an equivalent test on untangle.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  8. #28
    Untangle Ninja hescominsoon's Avatar
    Join Date
    Sep 2007
    Posts
    1,704

    Default

    I've read the blog post and you don't disclose who you tested against. I've put the same 5k load on my astaro machine(i have an unlimited connections license) again without issues...same thing as ipcop and I did not open a return path so the return connections were hammering away at my box..again without issues. It's way to DOS yourself..just fire up a huge torrent and DON'T open the return port and see if your box can handle it...you;ll nearly equal in return connections as you do outgoing due to how torrents work.. by this logic you can easily DOs a UT box with BT with enough connections due ot the hard limit of 10k connections. Now if i REALLY wanted to take down my astaro i could fire up my attack server in washington state and do a good syn flood. Even with the port scan blocking and ips turned on I can take down my firewall....i am not saying astaro and ipcop are uncrashable but your statements make it seems like UT has a design limitation that makes it more prone to a DOS..and not neccessairly a malicious attack.
    Last edited by hescominsoon; 12-23-2008 at 04:50 PM.

  9. #29
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,514

    Default

    The 10k session limit is actually the default imposed by IPTables and the Linux kernel. And you CAN change it with a sysctl variable.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #30
    Untangle Ninja hescominsoon's Avatar
    Join Date
    Sep 2007
    Posts
    1,704

    Default

    Which can be modified. That's my point. Untangle has chosen to go with the arbritary 10k session limit therefore making it more vulnerable to DOS as i have outlined....

    Ok let's take this to another thread.

    I apologize for dragging this thread off topic. let's stop this conversation here and if we want to discuss it further stat a new thread..i app0ologize to all..
    Last edited by hescominsoon; 12-23-2008 at 05:50 PM.

Page 3 of 4 FirstFirst 1234 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2