From owner-freebsd-hackers Wed Jan 15 14:19: 3 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B57B37B401 for ; Wed, 15 Jan 2003 14:19:00 -0800 (PST) Received: from mail.econolodgetulsa.com (mail.econolodgetulsa.com [198.78.66.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 000FA43E4A for ; Wed, 15 Jan 2003 14:18:59 -0800 (PST) (envelope-from user@mail.econolodgetulsa.com) Received: from mail (user@mail [198.78.66.163]) by mail.econolodgetulsa.com (8.12.3/8.12.3) with ESMTP id h0FMIrZb024347; Wed, 15 Jan 2003 14:18:53 -0800 (PST) (envelope-from user@mail.econolodgetulsa.com) Date: Wed, 15 Jan 2003 14:18:53 -0800 (PST) From: Josh Brooks To: Julian Elischer Cc: freebsd-hackers@freebsd.org Subject: Re: simple tcp question (syn, no mss) In-Reply-To: Message-ID: <20030115141115.T39623-100000@mail.econolodgetulsa.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Yes, I did that :) Take a look: 00001 15554 624172 count tcp from any to any setup tcpoptions !mss 00002 16475 664738 count tcp from any to any tcpflags syn tcpoptions !mss 00003 3743453 196847392 count tcp from any to any setup So ... 1/296th of all my setup (syn, no ack) packets have no mss. Actually the number is even smaller since I put the first two rules in place about an hour or so before the third rule... Also, I can support the notion that any remaining non-DoS packets that are setup (syn, no ack) and have no mss are indeed work packets. I ran this tcpdump line: tcpdump -vvv -n | grep " S " | grep -v mss | more and all I got were random connections to port 80, 1080, and 8080 over and over again. Sometimes they would scan over consecutive IPs on my end, and sometimes they would just be random IPs on my end - but they look like worm packets nonetheless. -------- So I have decided I am going to put in one of he above two block rules ... I think I have mostly windows and linux 2.x users anyway, so I am not going to be denying anyone. I have one last question - why are the numbers (count) of these two rules different: 00001 15554 624172 count tcp from any to any setup tcpoptions !mss 00002 16475 664738 count tcp from any to any tcpflags syn tcpoptions !mss The first rule says any syn!ack packets (setup) that have no mss, and there are apparently about 7% less packets that match this than match simply having SYN (and who knows what other flags) and no mss. Comments as to why these numbers are different, and what _additional_ things get blocked by rule #2 ? thanks. On Wed, 15 Jan 2003, Julian Elischer wrote: > why don't you put in a rule to catche them and count them. > then after a day or two you can go see how many there were.. > > > On Wed, 15 Jan 2003, Josh Brooks wrote: > > > > > Will I ever see a _legitimate_ packet in the wild that is a SYN, and has > > no MSS ? > > > > > > If the answer is no, then is this a good rule to block those: > > > > ipfw add 00001 deny tcp from any to any tcpflags syn tcpoptions !mss > > > > Or is this one better: > > > > ipfw add 00002 deny tcp from any to any setup tcpoptions !mss > > > > ----- > > > > I am simply trying to place a rule which blocks those packets and does not > > deny _any_ legitimate traffic (I don't consider nmapping to be legit for > > this discussion) - this is all provided that I am correct that there are > > no _legitimate_ packets in the wild that have a SYN and no MSS. > > > > thanks. > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-hackers" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message