"Louis A. Mamakos" wrote: > > > > > My goal is to create an ipfw rule that stops normal syn floods by blocking > > ALL syn packets that have no MSS set. > > > > My understanding is that there is no legitimate packet that is a SYN and > > has no MSS, and further, most of the kiddie tools in existence for syn > > flooding do indeed send syn packets with no MSS. > > Strictly speaking, a TCP stack is not REQUIRED to include an MSS option > on the TCP SYN segment. It's the only time one can be specified, but > if the TCP is happy with the 536 byte default, it needn't bother. > > Even older versions of the 4.3BSD-based TCP/IP stack had this issue, > and didn't include an MSS option if the interface MTU was sufficiently > small. > > In practice, I'm not sure how much of an issue this might be these > days, but you should probably check to see if really see NO legitimate > connections before you really start filtering.
In a recent study my diploma students found that out of a dataset of 9 million TCP SYN in real life traffic (Sunsite Switzerland, five popular newspaper sites) approximatly 5% did not have the MSS option set. We did not manage to figure the OS of those SYN packets. -- Andre To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message