"Louis A. Mamakos" wrote:
> 
> >
> > My goal is to create an ipfw rule that stops normal syn floods by blocking
> > ALL syn packets that have no MSS set.
> >
> > My understanding is that there is no legitimate packet that is a SYN and
> > has no MSS, and further, most of the kiddie tools in existence for syn
> > flooding do indeed send syn packets with no MSS.
> 
> Strictly speaking, a TCP stack is not REQUIRED to include an MSS option
> on the TCP SYN segment.  It's the only time one can be specified, but
> if the TCP is happy with the 536 byte default, it needn't bother.
> 
> Even older versions of the 4.3BSD-based TCP/IP stack had this issue,
> and didn't include an MSS option if the interface MTU was sufficiently
> small.
> 
> In practice, I'm not sure how much of an issue this might be these
> days, but you should probably check to see if really see NO legitimate
> connections before you really start filtering.

In a recent study my diploma students found that out of a dataset of
9 million TCP SYN in real life traffic (Sunsite Switzerland, five
popular newspaper sites) approximatly 5% did not have the MSS option
set. We did not manage to figure the OS of those SYN packets.

-- 
Andre

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Reply via email to