From owner-freebsd-pf@FreeBSD.ORG Tue Dec 27 08:48:24 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0D0416A41F for ; Tue, 27 Dec 2005 08:48:24 +0000 (GMT) (envelope-from aalesina@yahoo.com) Received: from web32611.mail.mud.yahoo.com (web32611.mail.mud.yahoo.com [68.142.207.238]) by mx1.FreeBSD.org (Postfix) with SMTP id 3B9CD43D46 for ; Tue, 27 Dec 2005 08:48:24 +0000 (GMT) (envelope-from aalesina@yahoo.com) Received: (qmail 28386 invoked by uid 60001); 27 Dec 2005 08:48:23 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=ppugHq8zIyuTKYLs6jsY/7Va37h+ZAX2/nRCbNYUbxLTu+dY/QHPK7XEyCeOMIf2mjeeGAciVl0FqfHvO2A3QmBGaRoMDE/YGa4HYU0HDQXyGV0YB/asgX7cRccNtxwv4Y49FmNZtWnaBGc28RG4+LXcZogiyAoGDti170kikJE= ; Message-ID: <20051227084823.28384.qmail@web32611.mail.mud.yahoo.com> Received: from [24.6.214.44] by web32611.mail.mud.yahoo.com via HTTP; Tue, 27 Dec 2005 00:48:23 PST Date: Tue, 27 Dec 2005 00:48:23 -0800 (PST) From: Alberto Alesina To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: tracking half-open connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Dec 2005 08:48:24 -0000 Hello, For minimizing effects of SYN flood attacks, is there a way in PF to limit the number of possible "half-open" TCP connections to protect servers offering public services from SYN flood attacks from spoofed IP source addresses? Turning on PF synproxy filter rule flag and choosing aggressive timeouts seems a good defense against SYN flood attacks, but I was curious if there are any options similar to some commercial firewall vendors, where after a configured maximum threshold of "half-open" connections is exceeded, new connection setup requests cause an existing (either the oldest or random) half-open TCP connection to be dropped (with the corresponding RST to the server to clear the entry) before any new connection is allowed through. Is overwhelming the system (by causing generation of RST's) a pitfall of such an approach and hence the reason not to implement it? Appreciate your time. Thanks a lot. - Alberto Alesina __________________________________________ Yahoo! DSL – Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com