Anything wrong with blocking

Anything wrong with blocking "new" SYN/ACK packets?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Networking Firewalls    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Anything wrong with blocking "new" SYN/ACK packets? BlackHole 10-18-2007
Posted by BlackHole on October 18, 2007, 10:26 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi, just brainstorming here...

I was reading about these "distributed reflective denial of service"
attacks (spray a ton of IPs with spoofed syn packets and they all hit
the target with syn/ack's) and I was wondering:

1. Would it not be possible to just block syn/ack packets that have the
state: NEW or would a legitimate syn/ack have that state anyway? (By
legitimate I mean the box that receives the syn/ack actually sent the
first syn)

2. If its possible to just block those is there any reason why I would
NOT want to do that?


I'm just trying to learn and in the process make my little iptables
firewall as secure as possible -- even though I doubt anyone will ever
try this attack on me ;-)

Thoughts?

--
~/Blackhole         Registered Linux User #420119 (http://counter.li.org)
AMD Athlon64/3200 2046mb pc3200 DDR400, (2) 300gb SATA, 256mb GeForce 6200
Gentoo 2007.0 (Gentoo is the best...)
"A computer is like an air conditioner, it stops working when you open Windows"

Posted by Ansgar -59cobalt- Wiechers on October 19, 2007, 8:28 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> I was reading about these "distributed reflective denial of service"
> attacks (spray a ton of IPs with spoofed syn packets and they all hit
> the target with syn/ack's) and I was wondering:
>
> 1. Would it not be possible to just block syn/ack packets that have
> the state: NEW

Yes (depending on your packet filter, that is).

> or would a legitimate syn/ack have that state anyway?

No.

> 2. If its possible to just block those is there any reason why I would
> NOT want to do that?

No.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Posted by BlackHole on October 20, 2007, 5:52 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
>> I was reading about these "distributed reflective denial of service"
>> attacks (spray a ton of IPs with spoofed syn packets and they all hit
>> the target with syn/ack's) and I was wondering:
>>
>> 1. Would it not be possible to just block syn/ack packets that have
>> the state: NEW
>
> Yes (depending on your packet filter, that is).
>
>> or would a legitimate syn/ack have that state anyway?
>
> No.
>
>> 2. If its possible to just block those is there any reason why I would
>> NOT want to do that?
>
> No.
>
> cu
> 59cobalt

Cool, well theres one more defense added to my arsenal of iptables rules
;-)

Thanks

--
~/Blackhole         Registered Linux User #420119 (http://counter.li.org)
AMD Athlon64/3200 2046mb pc3200 DDR400, (2) 300gb SATA, 256mb GeForce 6200
Gentoo 2007.0 (Gentoo is the best...)
"A computer is like an air conditioner, it stops working when you open Windows"

Posted by goarilla on October 20, 2007, 9:21 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
BlackHole wrote:
>>> I was reading about these "distributed reflective denial of service"
>>> attacks (spray a ton of IPs with spoofed syn packets and they all hit
>>> the target with syn/ack's) and I was wondering:
>>>
>>> 1. Would it not be possible to just block syn/ack packets that have
>>> the state: NEW
>> Yes (depending on your packet filter, that is).
>>
>>> or would a legitimate syn/ack have that state anyway?
>> No.
>>
>>> 2. If its possible to just block those is there any reason why I would
>>> NOT want to do that?
>> No.
>>
>> cu
>> 59cobalt
>
> Cool, well theres one more defense added to my arsenal of iptables rules
> ;-)
>
> Thanks
>
you could well try to only allow TCP packets which certain flags and
drop the rest instead of the opposite :D

Similar ThreadsPosted
iptables blocking some ack fin packets January 17, 2008, 3:49 pm
blocking incoming udp packets July 8, 2008, 6:22 am
What is wrong with GoogleDesktopNetwork3.dll ? June 26, 2007, 8:40 pm
Sonicwall 4100 wrong NAT May 22, 2007, 2:53 am
VPN-1 Checkpoint wrong gateway May 27, 2007, 6:55 am
What's wrong with opening a port on the firewall? February 18, 2005, 7:26 am
Summary of what happens to a packet as it enters and then leaves the PIX\ASA firewall - please correct if you see something wrong - thx November 27, 2007, 2:46 am
UDP packets are dropped by the PIX December 22, 2005, 4:57 pm
strange packets from 192.168.1.126 February 21, 2008, 12:54 pm
Suspicious Packets Using Yproxy August 3, 2004, 9:13 pm

The site map in XML format XML site map

Contact Us | Privacy Policy