ipfw: blocking syn floods - two proposed rules

Tue, 14 Jan 2003 21:30:32 -0800 

My goal is to create an ipfw rule that stops normal syn floods by blocking
ALL syn packets that have no MSS set.

My understanding is that there is no legitimate packet that is a SYN and
has no MSS, and further, most of the kiddie tools in existence for syn
flooding do indeed send syn packets with no MSS.

Here is what I came up with:

ipfw add 00001 deny tcp from any to any tcpoptions !mss setup

the rationale here is that I am blocking all tcp connections with no MSS,
provided that they are in the setup phase - and the man page for ipfw
states:

             setup   TCP packets only.  Match packets that have the SYN
                     bit set but no ACK bit.

So therefore I would get all the no mss syn packets, and I wouldn't
inadvertantly get a syn+ack packet ... I am mainly worried about this
because I do not know for sure if a syn+ack packet with no MSS is
legitimate...just in case there are some, I thought this would be a good
rule.

Next:

ipfw add 00001 deny tcp from any to any tcpoptions !mss tcpflags syn

Same idea, but I explicitly define it to match _any_ packet that contains
a syn and has no MSS - so theoretically there could be other flags besides
syn set as well and I would still drop it.  Again, I am worried because,
although I know that there are no syn-only packets with no MSS, I am not
sure if there are ever (in the wild) syn+(other flags) packets with no
MSS.  Comments ?

Finally:

ipfw add 00001 deny tcp from any to any tcpoptions !mss tcpflags syn !ack

I am fairly certain that this rule is _functionally identical_ to the
first rule which used the setup keyword.

-----------

So, any comments ?  Which of these is best ?  And given my original goal:

"to create an ipfw rule that stops normal syn floods by blocking
ALL syn packets that have no MSS set."

will whatever rule above is the best one accomplish that goal ?  Will
there be unintended consequences like all sorts of lost traffic and
customers complaining and me locked out of my firewall etc ?  I specify
00001 in all those rules above because I really do plan on putting it as
my first (or so) rule...

comments appreciated.



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Reply via email to