Date: Sat, 11 Jan 2003 16:40:53 -0800 (PST) From: Josh Brooks <user@mail.econolodgetulsa.com> To: freebsd-net@freebsd.org Subject: ipfw rules - SYN w/o MSS, and ACK with 0 sequence number Message-ID: <20030111163433.S78856-100000@mail.econolodgetulsa.com>
next in thread | raw e-mail | index | archive | help
Hi, After reading some more documents on DoS attacks (namely http://www.e-gerbil.net/ras/projects/dos/dos.txt ) I have found that there are two nice mechanisms to thwart a large number of ack and syn floods. First, it turns out (from the paper I mention above) that most of the SYN flood tools out there send the SYNs with no MSS. Second, it turns out that the default stream.c has ACK numbers of zero on every packet. So although I realize that since ipfw is stateless I cannot put in the _real_ fix (with ipfilter): -- start rule set -- block in quick proto tcp from any to any head 100 pass in quick proto tcp from any to any flags S keep state group 100 pass in all -- end rule set -- BUT, if I am willing to give up all of my packets with an ACK of zero (even legitimate ones) I could then block the default behavior of stream.c, right ? --------- So ... does anyone have ipfw syntax for the above two scenarios ? AND, am I correct, or will I introduce unexpected trouble by placing them in my ipfw ruleset ? As far as I understand it to this point, if I were to place these two rules in place _not only_ would I receive a great degree of protection from ack and syn floods, but further the only possible downside is that I might drop a legitimate ack=0 packet once in a while. COmments ? thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030111163433.S78856-100000>