I see a ton of evidence of TCP SYN+ACK reflection attacks lately, where an (obviously forged) stream of TCP packets - which have a source port that is a known service, like SSH or HTTPS, as opposed to a high-numbered port, hitting running services on my box. The service will happily engage and reply to these forged packets, at least until TCP backs off.
Seems like this is a poor man's DDoS that is using my server to amplify. Is there any pf voodoo that can be used to mitigate these attacks? Maybe stop replying if the source port is a low-numbered known service port and there is no known state where an outgoing request has already been made? I have the following enabled in pf.conf but it hasn't helped: set optimization aggressive set syncookies adaptive (start 15%, end 8%) Regards Lloyd
