Anything wrong with blocking "new" SYN/ACK packets?

Hi, just brainstorming here...

I was reading about these "distributed reflective denial of service"
attacks (spray a ton of IPs with spoofed syn packets and they all hit
the target with syn/ack's) and I was wondering:

1. Would it not be possible to just block syn/ack packets that have the
state: NEW or would a legitimate syn/ack have that state anyway? (By
legitimate I mean the box that receives the syn/ack actually sent the
first syn)

2. If its possible to just block those is there any reason why I would
NOT want to do that?


I'm just trying to learn and in the process make my little iptables
firewall as secure as possible -- even though I doubt anyone will ever
try this attack on me ;-)

Thoughts?

--
~/Blackhole Registered Linux User #420119 (http://counter.li.org)
AMD Athlon64/3200 2046mb pc3200 DDR400, (2) 300gb SATA, 256mb GeForce 6200
Gentoo 2007.0 (Gentoo is the best...)
"A computer is like an air conditioner, it stops working when you open Windows"

Re: Anything wrong with blocking "new" SYN/ACK packets?

BlackHole wrote:
> I was reading about these "distributed reflective denial of service"
> attacks (spray a ton of IPs with spoofed syn packets and they all hit
> the target with syn/ack's) and I was wondering:
>
> 1. Would it not be possible to just block syn/ack packets that have
> the state: NEW

Yes (depending on your packet filter, that is).

> or would a legitimate syn/ack have that state anyway?

No.

> 2. If its possible to just block those is there any reason why I would
> NOT want to do that?

No.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Anything wrong with blocking "new" SYN/ACK packets?

On 2007-10-19, Ansgar -59cobalt- Wiechers wrote:
> BlackHole wrote:
>> I was reading about these "distributed reflective denial of service"
>> attacks (spray a ton of IPs with spoofed syn packets and they all hit
>> the target with syn/ack's) and I was wondering:
>>
>> 1. Would it not be possible to just block syn/ack packets that have
>> the state: NEW
>
> Yes (depending on your packet filter, that is).
>
>> or would a legitimate syn/ack have that state anyway?
>
> No.
>
>> 2. If its possible to just block those is there any reason why I would
>> NOT want to do that?
>
> No.
>
> cu
> 59cobalt

Cool, well theres one more defense added to my arsenal of iptables rules
;-)

Thanks

--
~/Blackhole Registered Linux User #420119 (http://counter.li.org)
AMD Athlon64/3200 2046mb pc3200 DDR400, (2) 300gb SATA, 256mb GeForce 6200
Gentoo 2007.0 (Gentoo is the best...)
"A computer is like an air conditioner, it stops working when you open Windows"

Re: Anything wrong with blocking "new" SYN/ACK packets?

BlackHole wrote:
> On 2007-10-19, Ansgar -59cobalt- Wiechers wrote:
>> BlackHole wrote:
>>> I was reading about these "distributed reflective denial of service"
>>> attacks (spray a ton of IPs with spoofed syn packets and they all hit
>>> the target with syn/ack's) and I was wondering:
>>>
>>> 1. Would it not be possible to just block syn/ack packets that have
>>> the state: NEW
>> Yes (depending on your packet filter, that is).
>>
>>> or would a legitimate syn/ack have that state anyway?
>> No.
>>
>>> 2. If its possible to just block those is there any reason why I would
>>> NOT want to do that?
>> No.
>>
>> cu
>> 59cobalt
>
> Cool, well theres one more defense added to my arsenal of iptables rules
> ;-)
>
> Thanks
>
you could well try to only allow TCP packets which certain flags and
drop the rest instead of the opposite :D