Dear all,
I've setup a pf firewall with synproxy. I've ran a simulated DDoS for a
service behind pf, everything went fine, until I've found that rarely a
tcp connection got established to the service behind pf.
The reason was (due to a configuraion problem) that the firewall actually
was connected to the Internet, and it continued the tcp handshake. As the
spoofed source addresses sometimes were real alive systems on the
Internet, the SYN+ACK packet got to them. Mainly they replied with an RST
packet, but some replaied with RST+ACK. And in pf's source code I found
that the synproxy code only checks for the ACK flag, and if set, it
declares the connection established.
This way, one could find some machines with such TCP implementations, and
use them to actually DDoS the target service.
Opinions?
Kojedzinszky Richard
Euronet Magyarorszag Informatika Zrt.
