SYN+FIN packets and PF

Posted on 2013-09-18
Medium Priority
Last Modified: 2016-02-11
With scrubbing turned on, the PF packet filter "normalizes" packets with the SYN+FIN flags set.  A tcpdump on both sides of the firewall shows the packet coming in with SYN+FIN, then passing into the network with only the SYN flag set.   With the same rules, a packet with SYN+RST gets dropped.

Why wouldn't the packet filter just drop this packet - is there any circumstance where a TCP packet would legitimately have both of those flags set?   And is this something we should block, or is the behaviour of stripping the FIN flag and passing the packet on acceptable?
Question by:Veex
LVL 72

Expert Comment

ID: 39504151
I don't think SYN-FIN is a valid header option combination. It would mean "open a socket, and close it immediately without further exchange" - which is what UDP is for. The scrubbing just seems to correct that misconfiguration. With screening (if available), the packet should be dropped as part of an attack attempt.

IIRC SYN-FIN is used as a means to (maliciously) scan for specific devices by their specific responses, to further customize a more sophisticated attack if the device has known flaws.

Author Comment

ID: 39507612
Thanks Qlemo,

That's the impression I was under, however I'm trying to understand why PF would block one type of misconfigured packet, while allowing and correcting another type ( SYN+RST vs SYN+FIN).
LVL 41

Expert Comment

ID: 39508292
PF is Open/Free/Net-BSD..  so it may be the wrong tree.

SYN+FIN is invalid and should be blocked/dropped. It sometimes is sent by analyzing software to do finger printing on the OS that is running.
And it was an attack on systems (Christmas attack).

SYN+FIN   != UDP because no data can travel with SYN and or FIN packets.
[ besides having a complete different protocol field ].
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

LVL 66

Expert Comment

ID: 39508862
Hope this help @ http://www.openbsd.org/faq/pf/filter.html#synproxy

One should be careful with using flags -- understand what you are doing and why, and be careful with the advice people give as a lot of it is bad. Some people have suggested creating state "only if the SYN flag is set and no others". Such a rule would end with:

     . . . flags S/FSRPAUEW  bad idea!!

The theory is, create state only on the start of the TCP session, and the session should start with a SYN flag, and no others. The problem is some sites are starting to use the ECN flag and any site using ECN that tries to connect to you would be rejected by such a rule. A much better guideline is to not specify any flags at all and let PF apply the default flags to your rules. If you truly need to specify flags yourself then this combination should be safe:

. . . flags S/SAFR

While this is practical and safe, it is also unnecessary to check the FIN and RST flags if traffic is also being scrubbed. The scrubbing process will cause PF to drop any incoming packets with illegal TCP flag combinations (such as SYN and RST) and to normalize potentially ambiguous combinations (such as SYN and FIN).

Something the SYN is also to pass network security device policy checks e.g.

> A FIN scan sends TCP segments with the FIN flag set in an attempt to provoke a response (a TCP segment with the RST flag set) and thereby discover an active host or an active port on a host. Attackers might use this approach rather than perform an address sweep with ICMP echo requests or an address scan with SYN segments because they know that many firewalls typically guard against the latter two approaches—but not necessarily against FIN segments. The use of TCP segments with the FIN flag set might evade detection and thereby help the attackers succeed in their reconnaissance efforts.
LVL 27

Accepted Solution

skullnobrains earned 2000 total points
ID: 39515224
most people nowadays tend to state that SYN+FIN packets are not legitimate. as far as i know, they are legitimate and will be properly handled by any tcp stack and most firewalls out there. but then, i've been blocking them on many production systems for years, and i never saw a situation in which it would break anything useful.

the freebsd kernel has featured a sysctl mib "tcp_block_synfin" or something similar for many years (sorry, i don't have the exact mib name but i assume it is easy to grep it from "sysctl -a" if you have a freebsd machine around)

it is easy to block in pf with a rule like
"block in from any to any proto tcp flags SF/SF"
... which should actually also work with either ipf or ipfw


if you're interested in such weird tcp packets, you probably should also take care of "fragmented" packets and "short" packets. a general rule of thumb is to block them for everything except for ssh sessions

Author Closing Comment

ID: 39518504
Great response Skullnobrains;

The FreeBSD sysctl value is net.inet.tcp.drop_synfin: 1 which causes such packets to be dropped, UNLESS PF is enabled.   When PF is enabled, it "normalizes" the packet by stripping the FIN flag and leaving the SYN, allowing the packets to pass.

I've tested and verified this, and used a similar SF/SF flags block rule as you suggested which was effective.
LVL 27

Expert Comment

ID: 39527007
thanks a lot for posting back. i was not aware of that behaviour with pf (i use ipf much more often on freebsd).

best regards

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

How does someone stay on the right and legal side of the hacking world?
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question