Handling of TCP out of Order Packages

banym · April 27, 2020, 01:06:44 PM

On one of my opnSense boxes I am facing problems with some kind of DDOS attacks.
The system is running 19.7.4. in a stateless firewall configuration.
Two BGP uplinks are configured and working.

On one active uplink I see attacks from time to time that seem to use TCP Out-Of-Oder machanisms to generate load on the Firewall. The target addresses are sometimes not even existing but in my network range.

By blocking the network ranges or ips it is possible to handle them, but I am interessted if there are tweaks to the settings to optimize out of order package handling?

fabian · April 27, 2020, 05:02:04 PM

This might also be a full connect port scan since there are many segments sent multiple times.

The easiest way is to respond with a TCP segment with the RST flag set like documented in the RFC. But this is your decision if you want to say that you are here and don't want to talk instead of playing dead.

banym · April 27, 2020, 05:18:41 PM

How would I change it on opnSense or FreeBSD?

And what are the effects?

fabian · April 27, 2020, 05:46:43 PM

This is a behavior change of your servers if they can be reached. On OPNsense you can switch the rule from block to I think reject.

banym · April 27, 2020, 05:57:10 PM

Well, on the most ips shown there is no server behind.
That is what I am couriouse about. I see the try on a ip that is not assigned and not configured anywhere.

Nevertheless it generates load

banym · April 30, 2020, 08:31:09 AM

For now the unused networks and IPs are handled by a drop rule rule and only productive trafficd will be allowed. This decreased the load instantly and everythink looks fine.

Handling of TCP out of Order Packages

banym

April 27, 2020, 01:06:44 PM

fabian

April 27, 2020, 05:02:04 PM #1

banym

April 27, 2020, 05:18:41 PM #2

fabian

April 27, 2020, 05:46:43 PM #3

banym

April 27, 2020, 05:57:10 PM #4

banym

April 30, 2020, 08:31:09 AM #5