From owner-freebsd-net Sat Jan 11 16:40:59 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F62037B401 for ; Sat, 11 Jan 2003 16:40:58 -0800 (PST) Received: from mail.econolodgetulsa.com (mail.econolodgetulsa.com [198.78.66.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0127043ED8 for ; Sat, 11 Jan 2003 16:40:58 -0800 (PST) (envelope-from user@mail.econolodgetulsa.com) Received: from mail (user@mail [198.78.66.163]) by mail.econolodgetulsa.com (8.12.3/8.12.3) with ESMTP id h0C0erZb002662 for ; Sat, 11 Jan 2003 16:40:53 -0800 (PST) (envelope-from user@mail.econolodgetulsa.com) Date: Sat, 11 Jan 2003 16:40:53 -0800 (PST) From: Josh Brooks To: freebsd-net@freebsd.org Subject: ipfw rules - SYN w/o MSS, and ACK with 0 sequence number Message-ID: <20030111163433.S78856-100000@mail.econolodgetulsa.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, After reading some more documents on DoS attacks (namely http://www.e-gerbil.net/ras/projects/dos/dos.txt ) I have found that there are two nice mechanisms to thwart a large number of ack and syn floods. First, it turns out (from the paper I mention above) that most of the SYN flood tools out there send the SYNs with no MSS. Second, it turns out that the default stream.c has ACK numbers of zero on every packet. So although I realize that since ipfw is stateless I cannot put in the _real_ fix (with ipfilter): -- start rule set -- block in quick proto tcp from any to any head 100 pass in quick proto tcp from any to any flags S keep state group 100 pass in all -- end rule set -- BUT, if I am willing to give up all of my packets with an ACK of zero (even legitimate ones) I could then block the default behavior of stream.c, right ? --------- So ... does anyone have ipfw syntax for the above two scenarios ? AND, am I correct, or will I introduce unexpected trouble by placing them in my ipfw ruleset ? As far as I understand it to this point, if I were to place these two rules in place _not only_ would I receive a great degree of protection from ack and syn floods, but further the only possible downside is that I might drop a legitimate ack=0 packet once in a while. COmments ? thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message