From owner-freebsd-pf@FreeBSD.ORG  Wed Jan 28 13:55:11 2015
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 48DC43E6
 for <freebsd-pf@freebsd.org>; Wed, 28 Jan 2015 13:55:11 +0000 (UTC)
Received: from krichy.tvnetwork.hu (unknown [IPv6:2a01:be00:0:2::10])
 by mx1.freebsd.org (Postfix) with ESMTP id 0E88A6D0
 for <freebsd-pf@freebsd.org>; Wed, 28 Jan 2015 13:55:10 +0000 (UTC)
Received: by krichy.tvnetwork.hu (Postfix, from userid 1000)
 id AB61210B0; Wed, 28 Jan 2015 14:55:08 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
 by krichy.tvnetwork.hu (Postfix) with ESMTP id AA79310AF;
 Wed, 28 Jan 2015 14:55:08 +0100 (CET)
Date: Wed, 28 Jan 2015 14:55:08 +0100 (CET)
From: krichy@tvnetwork.hu
To: misc@openbsd.org
Subject: pf synproxy
Message-ID: <alpine.DEB.2.11.1501281448140.5880@krichy.tvnetwork.hu>
User-Agent: Alpine 2.11 (DEB 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
Cc: freebsd-pf@freebsd.org
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jan 2015 13:55:11 -0000

Dear all,

I've setup a pf firewall with synproxy. I've ran a simulated DDoS for a 
service behind pf, everything went fine, until I've found that rarely a 
tcp connection got established to the service behind pf.

The reason was (due to a configuraion problem) that the firewall actually 
was connected to the Internet, and it continued the tcp handshake. As the 
spoofed source addresses sometimes were real alive systems on the 
Internet, the SYN+ACK packet got to them. Mainly they replied with an RST 
packet, but some replaied with RST+ACK. And in pf's source code I found 
that the synproxy code only checks for the ACK flag, and if set, it 
declares the connection established.

This way, one could find some machines with such TCP implementations, and 
use them to actually DDoS the target service.

Opinions?

Kojedzinszky Richard
Euronet Magyarorszag Informatika Zrt.