Handling of TCP out of Order Packages

[banym]

On one of my opnSense boxes I am facing problems with some kind of DDOS attacks.
The system is running  19.7.4. in a stateless firewall configuration.
Two BGP uplinks are configured and working.

On one active uplink I see attacks from time to time that seem to use TCP Out-Of-Oder machanisms to generate load on the Firewall. The target addresses are sometimes not even existing but in my network range.

By blocking the network ranges or ips it is possible to handle them, but I am interessted if there are tweaks to the settings to optimize out of order package handling?

[fabian]

This might also be a full connect port scan since there are many segments sent multiple times.

The easiest way is to respond with a TCP segment with the RST flag set like documented in the RFC. But this is your decision if you want to say that you are here and don't want to talk instead of playing dead.

[banym]

How would I change it on opnSense or FreeBSD?

And what are the effects?

[fabian]

This is a behavior change of your servers if they can be reached. On OPNsense you can switch the rule from block to I think reject.

[banym]

Well, on the most ips shown there is no server behind.
That is what I am couriouse about. I see the try on a ip that is not assigned and not configured anywhere.

Nevertheless it generates load

[banym]

For now the unused networks and IPs are handled by a drop rule rule and only productive trafficd will be allowed. This decreased the load instantly and everythink looks fine.