From owner-freebsd-net Wed Jan 15 6:26:30 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C8DE037B405 for ; Wed, 15 Jan 2003 06:26:29 -0800 (PST) Received: from whizzo.transsys.com (whizzo.TransSys.COM [144.202.42.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id E6A7243F13 for ; Wed, 15 Jan 2003 06:26:28 -0800 (PST) (envelope-from louie@whizzo.transsys.com) Received: from whizzo.transsys.com (#6@localhost.transsys.com [127.0.0.1]) by whizzo.transsys.com (8.12.6/8.12.6) with ESMTP id h0FEQS4E027966; Wed, 15 Jan 2003 09:26:28 -0500 (EST) (envelope-from louie@whizzo.transsys.com) Message-Id: <200301151426.h0FEQS4E027966@whizzo.transsys.com> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Josh Brooks Cc: freebsd-net@FreeBSD.ORG X-Image-URL: http://www.transsys.com/louie/images/louie-mail.jpg From: "Louis A. Mamakos" Subject: Re: ipfw: blocking syn floods - two proposed rules References: <20030114212944.A39623-100000@mail.econolodgetulsa.com> In-reply-to: Your message of "Tue, 14 Jan 2003 21:30:28 PST." <20030114212944.A39623-100000@mail.econolodgetulsa.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 15 Jan 2003 09:26:28 -0500 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > My goal is to create an ipfw rule that stops normal syn floods by blocking > ALL syn packets that have no MSS set. > > My understanding is that there is no legitimate packet that is a SYN and > has no MSS, and further, most of the kiddie tools in existence for syn > flooding do indeed send syn packets with no MSS. Strictly speaking, a TCP stack is not REQUIRED to include an MSS option on the TCP SYN segment. It's the only time one can be specified, but if the TCP is happy with the 536 byte default, it needn't bother. Even older versions of the 4.3BSD-based TCP/IP stack had this issue, and didn't include an MSS option if the interface MTU was sufficiently small. In practice, I'm not sure how much of an issue this might be these days, but you should probably check to see if really see NO legitimate connections before you really start filtering. louie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message