> I figure, the state timeout system simply removes states that have existed with > no additional traffic after a certain, knowable amount of time (for instance, > if TCP.first is 10 seconds, then 10 seconds after that SYN arrives, the state > is removed). My assumption was that the attacker was completely ignoring any > response generated by the server, including timestamps, SYN/ACKs, whatever. > It's just series of timed SYN bursts which attempt to accomplish similar goals > (in terms of state exhaustion) as a SYNflood while not actually taking the > entire system down.
Say we start PF at second 0. We will prune the state tree every ten seconds (10s, 20s, 30s). Say we get a packet at time 5s and want to time it out ten seconds later at time 15s. But it doesn't. PF will finally prune the table at time 20s, notice it has expired, and then delete the state. That state got an extra five seconds of life. The use of TCP timestamps is how an attacker could remotely determine when the firewall came up and thus when the 10s cycle pruning started. But OpenBSD chooses a random initial timestamp so an attacker would have to resort to constant probing to catch the time of a reboot. Predictible expiration doesn't really matter too much anyway. Attacks against the state table typically are brute force floods. .mike
