On Wed, Jan 15, 2003 at 03:36:28PM +0100, Andre Oppermann wrote: > In a recent study my diploma students found that out of a dataset of > 9 million TCP SYN in real life traffic (Sunsite Switzerland, five > popular newspaper sites) approximatly 5% did not have the MSS option > set. We did not manage to figure the OS of those SYN packets.
A significant portion of the non DoS SYNs without MSS option that I see are worms, automated port scanners, or otherwise tools which are using raw sockets to construct TCP SYNs for various nefarious purposes (the problem seems to be that the kiddies writing the code can't get the tcp pseudoheader checksum right if they include options :P). If you're willing to deny service to some potentially legitimate users with old or bizaare TCP/IP stacks, blocking non-MSS SYNs can be an effective tool against some of the above activities. Otherwise, I would recommend a small rate limit against those packets. It depends on your application, for example if you are running a web service which is only useful to people with modern Windows browsers already, preventing worms and port scans might be worth blocking some legit users. If you desire full end to end reachability "most of the time", and just want to prevent some DoS, a rate limit is probably more useful. -- Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
