Date: Wed, 28 Jan 2015 14:55:08 +0100 (CET) From: krichy@tvnetwork.hu To: misc@openbsd.org Cc: freebsd-pf@freebsd.org Subject: pf synproxy Message-ID: <alpine.DEB.2.11.1501281448140.5880@krichy.tvnetwork.hu>
next in thread | raw e-mail | index | archive | help
Dear all, I've setup a pf firewall with synproxy. I've ran a simulated DDoS for a service behind pf, everything went fine, until I've found that rarely a tcp connection got established to the service behind pf. The reason was (due to a configuraion problem) that the firewall actually was connected to the Internet, and it continued the tcp handshake. As the spoofed source addresses sometimes were real alive systems on the Internet, the SYN+ACK packet got to them. Mainly they replied with an RST packet, but some replaied with RST+ACK. And in pf's source code I found that the synproxy code only checks for the ACK flag, and if set, it declares the connection established. This way, one could find some machines with such TCP implementations, and use them to actually DDoS the target service. Opinions? Kojedzinszky Richard Euronet Magyarorszag Informatika Zrt.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.DEB.2.11.1501281448140.5880>