From owner-freebsd-net Wed Jan 15 10:37: 4 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9746737B401 for ; Wed, 15 Jan 2003 10:37:03 -0800 (PST) Received: from overlord.e-gerbil.net (e-gerbil.net [64.186.142.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD77743E4A for ; Wed, 15 Jan 2003 10:37:02 -0800 (PST) (envelope-from ras@overlord.e-gerbil.net) Received: from overlord.e-gerbil.net (ras@localhost.globali.net [127.0.0.1]) by overlord.e-gerbil.net (8.12.6/8.12.6) with ESMTP id h0FIauTg070819; Wed, 15 Jan 2003 13:36:56 -0500 (EST) (envelope-from ras@overlord.e-gerbil.net) Received: (from ras@localhost) by overlord.e-gerbil.net (8.12.6/8.12.6/Submit) id h0FIau3O070818; Wed, 15 Jan 2003 13:36:56 -0500 (EST) (envelope-from ras) Date: Wed, 15 Jan 2003 13:36:56 -0500 From: Richard A Steenbergen To: Andre Oppermann Cc: "Louis A. Mamakos" , Josh Brooks , freebsd-net@FreeBSD.ORG Subject: Re: ipfw: blocking syn floods - two proposed rules Message-ID: <20030115183655.GQ78231@overlord.e-gerbil.net> References: <20030114212944.A39623-100000@mail.econolodgetulsa.com> <200301151426.h0FEQS4E027966@whizzo.transsys.com> <3E2571EC.339F829F@pipeline.ch> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3E2571EC.339F829F@pipeline.ch> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jan 15, 2003 at 03:36:28PM +0100, Andre Oppermann wrote: > In a recent study my diploma students found that out of a dataset of > 9 million TCP SYN in real life traffic (Sunsite Switzerland, five > popular newspaper sites) approximatly 5% did not have the MSS option > set. We did not manage to figure the OS of those SYN packets. A significant portion of the non DoS SYNs without MSS option that I see are worms, automated port scanners, or otherwise tools which are using raw sockets to construct TCP SYNs for various nefarious purposes (the problem seems to be that the kiddies writing the code can't get the tcp pseudoheader checksum right if they include options :P). If you're willing to deny service to some potentially legitimate users with old or bizaare TCP/IP stacks, blocking non-MSS SYNs can be an effective tool against some of the above activities. Otherwise, I would recommend a small rate limit against those packets. It depends on your application, for example if you are running a web service which is only useful to people with modern Windows browsers already, preventing worms and port scans might be worth blocking some legit users. If you desire full end to end reachability "most of the time", and just want to prevent some DoS, a rate limit is probably more useful. -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message