Date: Wed, 15 Jan 2003 15:36:28 +0100 From: Andre Oppermann <oppermann@pipeline.ch> To: "Louis A. Mamakos" <louie@TransSys.COM> Cc: Josh Brooks <user@mail.econolodgetulsa.com>, freebsd-net@FreeBSD.ORG Subject: Re: ipfw: blocking syn floods - two proposed rules Message-ID: <3E2571EC.339F829F@pipeline.ch> References: <20030114212944.A39623-100000@mail.econolodgetulsa.com> <200301151426.h0FEQS4E027966@whizzo.transsys.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Louis A. Mamakos" wrote: > > > > > My goal is to create an ipfw rule that stops normal syn floods by blocking > > ALL syn packets that have no MSS set. > > > > My understanding is that there is no legitimate packet that is a SYN and > > has no MSS, and further, most of the kiddie tools in existence for syn > > flooding do indeed send syn packets with no MSS. > > Strictly speaking, a TCP stack is not REQUIRED to include an MSS option > on the TCP SYN segment. It's the only time one can be specified, but > if the TCP is happy with the 536 byte default, it needn't bother. > > Even older versions of the 4.3BSD-based TCP/IP stack had this issue, > and didn't include an MSS option if the interface MTU was sufficiently > small. > > In practice, I'm not sure how much of an issue this might be these > days, but you should probably check to see if really see NO legitimate > connections before you really start filtering. In a recent study my diploma students found that out of a dataset of 9 million TCP SYN in real life traffic (Sunsite Switzerland, five popular newspaper sites) approximatly 5% did not have the MSS option set. We did not manage to figure the OS of those SYN packets. -- Andre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E2571EC.339F829F>