Anything wrong with blocking "new" SYN/ACK packets? - Firewalls

This is a discussion on Anything wrong with blocking "new" SYN/ACK packets? - Firewalls ; Hi, just brainstorming here... I was reading about these "distributed reflective denial of service" attacks (spray a ton of IPs with spoofed syn packets and they all hit the target with syn/ack's) and I was wondering: 1. Would it not ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Anything wrong with blocking "new" SYN/ACK packets?

  1. Anything wrong with blocking "new" SYN/ACK packets?

    Hi, just brainstorming here...

    I was reading about these "distributed reflective denial of service"
    attacks (spray a ton of IPs with spoofed syn packets and they all hit
    the target with syn/ack's) and I was wondering:

    1. Would it not be possible to just block syn/ack packets that have the
    state: NEW or would a legitimate syn/ack have that state anyway? (By
    legitimate I mean the box that receives the syn/ack actually sent the
    first syn)

    2. If its possible to just block those is there any reason why I would
    NOT want to do that?


    I'm just trying to learn and in the process make my little iptables
    firewall as secure as possible -- even though I doubt anyone will ever
    try this attack on me ;-)

    Thoughts?

    --
    ~/Blackhole Registered Linux User #420119 (http://counter.li.org)
    AMD Athlon64/3200 2046mb pc3200 DDR400, (2) 300gb SATA, 256mb GeForce 6200
    Gentoo 2007.0 (Gentoo is the best...)
    "A computer is like an air conditioner, it stops working when you open Windows"

  2. Re: Anything wrong with blocking "new" SYN/ACK packets?

    BlackHole wrote:
    > I was reading about these "distributed reflective denial of service"
    > attacks (spray a ton of IPs with spoofed syn packets and they all hit
    > the target with syn/ack's) and I was wondering:
    >
    > 1. Would it not be possible to just block syn/ack packets that have
    > the state: NEW


    Yes (depending on your packet filter, that is).

    > or would a legitimate syn/ack have that state anyway?


    No.

    > 2. If its possible to just block those is there any reason why I would
    > NOT want to do that?


    No.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  3. Re: Anything wrong with blocking "new" SYN/ACK packets?

    On 2007-10-19, Ansgar -59cobalt- Wiechers wrote:
    > BlackHole wrote:
    >> I was reading about these "distributed reflective denial of service"
    >> attacks (spray a ton of IPs with spoofed syn packets and they all hit
    >> the target with syn/ack's) and I was wondering:
    >>
    >> 1. Would it not be possible to just block syn/ack packets that have
    >> the state: NEW

    >
    > Yes (depending on your packet filter, that is).
    >
    >> or would a legitimate syn/ack have that state anyway?

    >
    > No.
    >
    >> 2. If its possible to just block those is there any reason why I would
    >> NOT want to do that?

    >
    > No.
    >
    > cu
    > 59cobalt


    Cool, well theres one more defense added to my arsenal of iptables rules
    ;-)

    Thanks

    --
    ~/Blackhole Registered Linux User #420119 (http://counter.li.org)
    AMD Athlon64/3200 2046mb pc3200 DDR400, (2) 300gb SATA, 256mb GeForce 6200
    Gentoo 2007.0 (Gentoo is the best...)
    "A computer is like an air conditioner, it stops working when you open Windows"

  4. Re: Anything wrong with blocking "new" SYN/ACK packets?

    BlackHole wrote:
    > On 2007-10-19, Ansgar -59cobalt- Wiechers wrote:
    >> BlackHole wrote:
    >>> I was reading about these "distributed reflective denial of service"
    >>> attacks (spray a ton of IPs with spoofed syn packets and they all hit
    >>> the target with syn/ack's) and I was wondering:
    >>>
    >>> 1. Would it not be possible to just block syn/ack packets that have
    >>> the state: NEW

    >> Yes (depending on your packet filter, that is).
    >>
    >>> or would a legitimate syn/ack have that state anyway?

    >> No.
    >>
    >>> 2. If its possible to just block those is there any reason why I would
    >>> NOT want to do that?

    >> No.
    >>
    >> cu
    >> 59cobalt

    >
    > Cool, well theres one more defense added to my arsenal of iptables rules
    > ;-)
    >
    > Thanks
    >

    you could well try to only allow TCP packets which certain flags and
    drop the rest instead of the opposite

+ Reply to Thread