max-src-conn issue

[Peter Maxwell]

Hi Yuzhaninov,

Interestingly enough, I checked the pf.conf man page for max-src-conn:

"For stateful TCP connections, limits on established connections (connec-
     tions which have completed the TCP 3-way handshake) can also be enforced
     per source IP.

     max-src-conn <number>
           Limits the maximum number of simultaneous TCP connections which
           have completed the 3-way handshake that a single host can make.
     max-src-conn-rate <number> / <seconds>
           Limit the rate of new connections over a time interval.  The con-
           nection rate is an approximation calculated as a moving average."

which does indicate that only completed handshakes are counted towards
max-src-conn; it doesn't however say anything about the initial SYN
packet - essentially it seems undefined.  You might be able to get a
better answer by looking at the source, or asking someone who knows
more than me ;-)

Have you tried the rules without the 'quick' keyword, I know it's
probably down to personal taste but I've always found using 'quick'
unless its absolutely essential (and that's not often at all) can
cause unexpected difficulties.

I don't think this is necessarily a problem either, as I think FreeBSD
comes out of the box with protection against SYN floods - again
perhaps someone more knowledgeable can expand on this.

Best wishes,

Peter


2009/4/13 Anton Yuzhaninov <citrin at citrin.ru>:
> Hi All.
>
> It seems to be, that max-src-conn is broken under FreeBSD, and not useful to
> limit incoming connections.
>
> 1. I have added 2 rules:
>
> $ pfctl -s rule
> pass quick on re0 inet proto tcp from 81.19.90.0/23 to any port = ssh flags
> S/SA keep state (source-track rule, max-src-conn 3)
> block drop quick on re0 inet proto tcp from 81.19.90.0/23 to any port = ssh
>
> 2. Open 3 ssh connections:
>
> $ pfctl -s state
> all tcp 81.19.90.176:22 <- 81.19.90.156:47767       ESTABLISHED:ESTABLISHED
> all tcp 81.19.90.176:22 <- 81.19.90.156:47768       ESTABLISHED:ESTABLISHED
> all tcp 81.19.90.176:22 <- 81.19.90.156:47769       ESTABLISHED:ESTABLISHED
>
> $ netstat -n -p tcp
> Active Internet connections
> Proto Recv-Q Send-Q  Local Address          Foreign Address       (state)
> tcp4       0      0 81.19.90.176.22        81.19.90.156.47769
> ESTABLISHED
> tcp4       0      0 81.19.90.176.22        81.19.90.156.47768
> ESTABLISHED
> tcp4       0      0 81.19.90.176.22        81.19.90.156.47767
> ESTABLISHED
>
> 3. When I tried to open one more connections packets matched by first rule
> was passed, bat state was not created.
>
> $ pfctl -z
>
> On remote host:
> ssh 81.19.90.176
>
> $ pfctl -v -s rule
> pass quick on re0 inet proto tcp from 81.19.90.0/23 to any port = ssh flags
> S/SA keep state (source-track rule, max-src-conn 3)
>  [ Evaluations: 752       Packets: 2         Bytes: 120         States: 3
>   ]
>  [ Inserted: uid 0 pid 98818 ]
> block drop quick on re0 inet proto tcp from 81.19.90.0/23 to any port = ssh
>  [ Evaluations: 2         Packets: 2         Bytes: 128         States: 0
>   ]
>  [ Inserted: uid 0 pid 98818 ]
> $ pfctl -s state
> all tcp 81.19.90.176:22 <- 81.19.90.156:47767       ESTABLISHED:ESTABLISHED
> all tcp 81.19.90.176:22 <- 81.19.90.156:47768       ESTABLISHED:ESTABLISHED
> all tcp 81.19.90.176:22 <- 81.19.90.156:47769       ESTABLISHED:ESTABLISHED
> $ netstat -np tcp
> Active Internet connections
> Proto Recv-Q Send-Q  Local Address          Foreign Address       (state)
> tcp4       0      0 81.19.90.176.22        81.19.90.156.48149     SYN_RCVD
> tcp4       0      0 81.19.90.176.22        81.19.90.156.47769
> ESTABLISHED
> tcp4       0      0 81.19.90.176.22        81.19.90.156.47768
> ESTABLISHED
> tcp4       0      0 81.19.90.176.22        81.19.90.156.47767
> ESTABLISHED
>
> New state not created, but packets matched first rule is passed, while
> should be dropped.
>
> Because of this new half-open connection is created (in SYN_RCVD state).
>
> This makes max-src-conn not very useful under FreeBSD - bad guys can eat as
> many sockets as they want on attacked host, even when number of connections
> is limited by pf.
>
> $ uname -psv
> FreeBSD FreeBSD 8.0-CURRENT #0: Wed Apr  8 05:31:05 MSD 2009
> citrin at citrin.park.rambler.ru:/usr/obj/usr/src/sys/GENERIC  amd64
>
> I have tested same rules on OpenBSD 4.4 - they works as expected - when
> limit reached, packets matched by first rule dropped, and new state not
> created.
>
> --
>  Anton Yuzhaninov
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>