Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 28 Jan 2015 14:55:08 +0100 (CET)
From:      krichy@tvnetwork.hu
To:        misc@openbsd.org
Cc:        freebsd-pf@freebsd.org
Subject:   pf synproxy
Message-ID:  <alpine.DEB.2.11.1501281448140.5880@krichy.tvnetwork.hu>

next in thread | raw e-mail | index | archive | help
Dear all,

I've setup a pf firewall with synproxy. I've ran a simulated DDoS for a 
service behind pf, everything went fine, until I've found that rarely a 
tcp connection got established to the service behind pf.

The reason was (due to a configuraion problem) that the firewall actually 
was connected to the Internet, and it continued the tcp handshake. As the 
spoofed source addresses sometimes were real alive systems on the 
Internet, the SYN+ACK packet got to them. Mainly they replied with an RST 
packet, but some replaied with RST+ACK. And in pf's source code I found 
that the synproxy code only checks for the ACK flag, and if set, it 
declares the connection established.

This way, one could find some machines with such TCP implementations, and 
use them to actually DDoS the target service.

Opinions?

Kojedzinszky Richard
Euronet Magyarorszag Informatika Zrt.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.DEB.2.11.1501281448140.5880>