From owner-freebsd-net Sun Jan 12 10:11:36 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C7E837B401 for ; Sun, 12 Jan 2003 10:11:35 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id B296943F13 for ; Sun, 12 Jan 2003 10:11:34 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.3/8.12.3) with ESMTP id h0CIBTTO010847; Sun, 12 Jan 2003 10:11:29 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.3/8.12.3/Submit) id h0CIBTaX010846; Sun, 12 Jan 2003 10:11:29 -0800 (PST) (envelope-from rizzo) Date: Sun, 12 Jan 2003 10:11:28 -0800 From: Luigi Rizzo To: Josh Brooks Cc: freebsd-net@FreeBSD.ORG Subject: Re: ipfw rules - SYN w/o MSS, and ACK with 0 sequence number Message-ID: <20030112101128.C10609@xorpc.icir.org> References: <20030111163433.S78856-100000@mail.econolodgetulsa.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030111163433.S78856-100000@mail.econolodgetulsa.com>; from user@mail.econolodgetulsa.com on Sat, Jan 11, 2003 at 04:40:53PM -0800 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, On Sat, Jan 11, 2003 at 04:40:53PM -0800, Josh Brooks wrote: ... > After reading some more documents on DoS attacks (namely > http://www.e-gerbil.net/ras/projects/dos/dos.txt ) I have found that there > are two nice mechanisms to thwart a large number of ack and syn floods. > > First, it turns out (from the paper I mention above) that most of the SYN > flood tools out there send the SYNs with no MSS. > > Second, it turns out that the default stream.c has ACK numbers of zero on > every packet. So although I realize that since ipfw is stateless I cannot > put in the _real_ fix (with ipfilter): ipfw has been stateful since early 2000, so you can implement exactly the same thing mentioned below in ipfw as well. Read the ipfw manpage for details cheers luigi > -- start rule set -- > block in quick proto tcp from any to any head 100 > pass in quick proto tcp from any to any flags S keep state group 100 > pass in all > -- end rule set -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message