tracking half-open connections

Anton Butsyk butsyk at mail.etsplus.net
Tue Dec 27 04:24:50 PST 2005


> Hello,
> For minimizing effects of SYN flood attacks, is there
> a way in PF to limit the number of possible
> "half-open" TCP connections to protect servers
> offering public services from SYN flood attacks from
> spoofed IP source addresses?
>
> Turning on PF synproxy filter rule flag and choosing
> aggressive timeouts seems a good defense against SYN
> flood attacks, but I was curious if there are any
> options similar to some commercial firewall vendors,
> where after a configured maximum threshold of
> "half-open" connections is exceeded, new connection
> setup requests cause an existing (either the oldest or
> random) half-open TCP connection  to be dropped (with
> the corresponding RST to the server to clear the
> entry) before any new connection is allowed through.
> Is overwhelming the system (by causing generation of
> RST's) a pitfall of such an approach and hence the
> reason not to implement it?
>
> Appreciate your time. Thanks a lot.
> - Alberto Alesina


Hi!

man pf.conf will help you
options:
   set timeout { tcp.first 10, tcp.opening 20 }
or
   set optimization aggressive

follow the same man page
... synproxy state option can be used to cause pf itself
to complete handshake ...
No packets are sent to the passive endpoint before the active
endpoint has complete the handshake, hence so-called SYN floods
with spoofed source...

   I wonder what kind of options present in "commercial firewall vendors",
doesn't exist in pf?



-- 
Regards,

Anton Butsyk

http://studiori.net/


More information about the freebsd-pf mailing list