Date: Sun, 12 Jan 2003 10:11:28 -0800 From: Luigi Rizzo <rizzo@icir.org> To: Josh Brooks <user@mail.econolodgetulsa.com> Cc: freebsd-net@FreeBSD.ORG Subject: Re: ipfw rules - SYN w/o MSS, and ACK with 0 sequence number Message-ID: <20030112101128.C10609@xorpc.icir.org> In-Reply-To: <20030111163433.S78856-100000@mail.econolodgetulsa.com>; from user@mail.econolodgetulsa.com on Sat, Jan 11, 2003 at 04:40:53PM -0800 References: <20030111163433.S78856-100000@mail.econolodgetulsa.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On Sat, Jan 11, 2003 at 04:40:53PM -0800, Josh Brooks wrote: ... > After reading some more documents on DoS attacks (namely > http://www.e-gerbil.net/ras/projects/dos/dos.txt ) I have found that there > are two nice mechanisms to thwart a large number of ack and syn floods. > > First, it turns out (from the paper I mention above) that most of the SYN > flood tools out there send the SYNs with no MSS. > > Second, it turns out that the default stream.c has ACK numbers of zero on > every packet. So although I realize that since ipfw is stateless I cannot > put in the _real_ fix (with ipfilter): ipfw has been stateful since early 2000, so you can implement exactly the same thing mentioned below in ipfw as well. Read the ipfw manpage for details cheers luigi > -- start rule set -- > block in quick proto tcp from any to any head 100 > pass in quick proto tcp from any to any flags S keep state group 100 > pass in all > -- end rule set -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030112101128.C10609>