Can I filter TCP SYN packets with seq=0

ddostcp

My servers appear to be targeted by a SYN-flood attack. Between 50-600MBit/s, spoofed IPs.

Packets look like this:

IP p.q.r.s.1234 > my.ser.vers.ip.80: Flags [S], seq 0, win 5840, length 0

with p.q.r.s apparently being random. (yes, source port is always 1234)

While this alone is not enough to fill my link, the responses play their part as well and the machines becomes pretty slow.

Is it reasonable to drop TCP SYNs with seq=0?

Best Answer

Sure, you can drop TCP SYNs with seq=0, you'll only have a 1/4294967296 chance (more or less) or dropping a real connection.... BUT:

The actual TCP sequence number is probably not 0!

I don't know what tool you're using (the output format does not quite seem to match either tcpdump or tshark/Wireshark) but both tcpdump and Wireshark actually remember state of TCP streams and subtract the initial sequence number from the value displayed in both seq and ack fields, so that 0 means "whatever the ISN was".

Note this option from the tcpdump manpage:

   -S     Print absolute, rather than relative, TCP sequence numbers.

Related Solutions

Firewall – tcp syn checking

From Watchguard:

TCP SYN checking

The global TCP SYN checking setting is: Enable TCP SYN checking This feature makes sure that the TCP three-way handshake is done before the Firebox allows a data connection.

So I imagine the watchguard isnt seeing the usual syn/syn ack/ack happen for whatever reason and killing the connection.

tcpdump – How to Capture ACK or SYN Packets

The pcap filter syntax used for tcpdump should work exactly the same way on wireshark capture filter.

With tcpdump I would use a filter like this.

tcpdump "tcp[tcpflags] & (tcp-syn|tcp-ack) != 0"

Check out the tcpdump man page, and pay close attention to the tcpflags.

Be sure to also check out the sections in the Wireshark Wiki about capture and display filters. Unfortunately the two types of filters use a completely different syntax, and different names for the same thing.

If you wanted a display filter instead of capture filter you would probably need to build an expression combining tcp.flags.ack, and tcp.flags.syn. I am far more familiar with capture filters though, so you'll have to work that out on your own.

http://wiki.wireshark.org/DisplayFilters
- Display filter ref: http://www.wireshark.org/docs/dfref/
- TCP display ref: http://www.wireshark.org/docs/dfref/t/tcp.html
http://wiki.wireshark.org/CaptureFilters

Best Answer

Related Solutions

Firewall – tcp syn checking

tcpdump – How to Capture ACK or SYN Packets

Related Topic