We help IT Professionals succeed at work.

TCP flags

We decide to create an allow list of tcp flags on router to block some attacks.
What is the flags used on TCP traffics for normal web sites / ftp / mail ....etc.

0x02
0x10
.....
etc


I am loooking for a list of normal tcp traffic's flags for this type of traffics
Comment
Watch Question

Top Expert 2015

Commented:
tcp flags are about TCP connections, no matter what is inside:
http://www.openbsd.org/faq/pf/filter.html#tcpflags
there is example of flags that are needed. other four you can stip away recalculating header checksums.

Author

Commented:
there are too many type of tcp flags
http://rapid.web.unc.edu/resources/tcp-flag-key/
but what i want to learn is which ones are required for normal tcp traffics.

http
ftp
ssh
sftp
imap
pop
....etc.


for example i have never seen a
0x9B FIN-SYN-PSH-ACK-CWR
on a web traffic
Top Expert 2015

Commented:
PF takes letters, you need to convert them to IPTABLES masks. S/SAFR -> init connection SA/SAFR -> accept it A/SAFR or nothing /SAFR -> keep state longer F/SAFR R/SAFR-> kill the state quicker.
Other flags can be ignored or even masked out.

Author

Commented:
Actually i plan to block the unnecsseary flags on router
Top Expert 2015

Commented:
There is no difference in flag semantics between higher level protocols.
You can specify comma separated list of flags and handy iptables makes bit mask out of it.

Author

Commented:
I should not figure out to which hex is optional to allow for ex. 0x05 is not a used flag which flags do you advice me to allow i will block rest
Top Expert 2015

Commented:
You should not block them, you need to zero those you dont need
You need only SAFR to maintain TCP connection
S -> init
SA -> accept
- or A -> continue
- or A and F or R -> end of connection
other four can be cleaned out (i.e zeroed out) or ignored.
and weird combinations of SAFR should be discarded as unseen.

Author

Commented:
No i have options on my router to block TCP flages for destination address prefixes.

for www.ddos-service.com i have only allowed 0x02 and 0x10 and it works perfect but also i tryed a TS3 server on 178.20.229.146  
they are working good
but FTP  not working
Top Expert 2015

Commented:
Probably it uses push flag and you drop the packet...

Author

Commented:
Actually if i find a way as this then there wont be a problem as we talked on other question
Top Expert 2015

Commented:
FTP is ugly protocol - it uses 2 connections and the second might be initiated from server or from client.
Modern extension is encrypting the control connection where no firewall can guess the 2nd connection.

Author

Commented:
but does it make sense to have 2 or 1000 connections
Top Expert 2015

Commented:
The second connection is not on standard ports. Usually >1024 to >1024 either way.

Author

Commented:
but i am not talking about ports , i am talking about flags
Top Expert 2015
Commented:
There are no special flags set by rhel6 ftp or filezilla for data connection. I suspect it is blocked because of ports not because of flags. Can you verify with tcpdump on client?

Explore More ContentExplore courses, solutions, and other research materials related to this topic.