FireBall
asked on
TCP flags
We decide to create an allow list of tcp flags on router to block some attacks.
What is the flags used on TCP traffics for normal web sites / ftp / mail ....etc.
0x02
0x10
.....
etc
I am loooking for a list of normal tcp traffic's flags for this type of traffics
What is the flags used on TCP traffics for normal web sites / ftp / mail ....etc.
0x02
0x10
.....
etc
I am loooking for a list of normal tcp traffic's flags for this type of traffics
ASKER
there are too many type of tcp flags
http://rapid.web.unc.edu/resources/tcp-flag-key/
but what i want to learn is which ones are required for normal tcp traffics.
http
ftp
ssh
sftp
imap
pop
....etc.
for example i have never seen a
0x9B FIN-SYN-PSH-ACK-CWR
on a web traffic
http://rapid.web.unc.edu/resources/tcp-flag-key/
but what i want to learn is which ones are required for normal tcp traffics.
http
ftp
ssh
sftp
imap
pop
....etc.
for example i have never seen a
0x9B FIN-SYN-PSH-ACK-CWR
on a web traffic
PF takes letters, you need to convert them to IPTABLES masks. S/SAFR -> init connection SA/SAFR -> accept it A/SAFR or nothing /SAFR -> keep state longer F/SAFR R/SAFR-> kill the state quicker.
Other flags can be ignored or even masked out.
Other flags can be ignored or even masked out.
ASKER
Actually i plan to block the unnecsseary flags on router
There is no difference in flag semantics between higher level protocols.
You can specify comma separated list of flags and handy iptables makes bit mask out of it.
You can specify comma separated list of flags and handy iptables makes bit mask out of it.
ASKER
I should not figure out to which hex is optional to allow for ex. 0x05 is not a used flag which flags do you advice me to allow i will block rest
You should not block them, you need to zero those you dont need
You need only SAFR to maintain TCP connection
S -> init
SA -> accept
- or A -> continue
- or A and F or R -> end of connection
other four can be cleaned out (i.e zeroed out) or ignored.
and weird combinations of SAFR should be discarded as unseen.
You need only SAFR to maintain TCP connection
S -> init
SA -> accept
- or A -> continue
- or A and F or R -> end of connection
other four can be cleaned out (i.e zeroed out) or ignored.
and weird combinations of SAFR should be discarded as unseen.
ASKER
No i have options on my router to block TCP flages for destination address prefixes.
for www.ddos-service.com i have only allowed 0x02 and 0x10 and it works perfect but also i tryed a TS3 server on 178.20.229.146
they are working good
but FTP not working
for www.ddos-service.com i have only allowed 0x02 and 0x10 and it works perfect but also i tryed a TS3 server on 178.20.229.146
they are working good
but FTP not working
Probably it uses push flag and you drop the packet...
ASKER
Actually if i find a way as this then there wont be a problem as we talked on other question
FTP is ugly protocol - it uses 2 connections and the second might be initiated from server or from client.
Modern extension is encrypting the control connection where no firewall can guess the 2nd connection.
Modern extension is encrypting the control connection where no firewall can guess the 2nd connection.
ASKER
but does it make sense to have 2 or 1000 connections
The second connection is not on standard ports. Usually >1024 to >1024 either way.
ASKER
but i am not talking about ports , i am talking about flags
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://www.openbsd.org/faq/pf/filter.html#tcpflags
there is example of flags that are needed. other four you can stip away recalculating header checksums.