> > My goal is to create an ipfw rule that stops normal syn floods by blocking > ALL syn packets that have no MSS set. > > My understanding is that there is no legitimate packet that is a SYN and > has no MSS, and further, most of the kiddie tools in existence for syn > flooding do indeed send syn packets with no MSS.
Strictly speaking, a TCP stack is not REQUIRED to include an MSS option on the TCP SYN segment. It's the only time one can be specified, but if the TCP is happy with the 536 byte default, it needn't bother. Even older versions of the 4.3BSD-based TCP/IP stack had this issue, and didn't include an MSS option if the interface MTU was sufficiently small. In practice, I'm not sure how much of an issue this might be these days, but you should probably check to see if really see NO legitimate connections before you really start filtering. louie To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
