TCP Flags and Lengths
| Flag Combination | Flags Set (Hex) | Purpose | IP+TCP Payload Size | Ethernet Frame Size | XDP Filtering Logic |
|---|---|---|---|---|---|
| SYN | 0x02 | Initiates connection | 40–60 bytes | 64–78 bytes | Rate limit SYN packets per source IP to prevent floods. Drop if rate exceeds threshold. Use SynProxy. |
| SYN-ACK | 0x12 | Acknowledges SYN | 40–60 bytes | 64–78 bytes | Validate against recent SYN requests using eBPF hash maps. Drop if no matching SYN. |
| ACK | 0x10 | Acknowledges data | 40 bytes | 64 bytes | Allow for established connections. Rate limit to prevent ACK floods. |
| PSH-ACK | 0x18 | Pushes data | 40–1500 bytes | 64–1518 bytes | Allow for data transfer. Rate limit large packets to prevent floods. Basic Connection tracking |
| FIN-ACK | 0x11 | Closes connection | 40 bytes | 64 bytes | Allow for connection closure. Drop if part of a FIN scan (no prior SYN). |
| RST | 0x04 | Resets connection | 40 bytes | 64 bytes | Allow for error handling. Drop if part of a reset attack (high rate from single IP). Basic Connection tracking |
| NULL | 0x00 | Invalid (no flags) | 40 bytes | 64 bytes | Drop immediately as invalid/malicious. |
| XMAS | 0x29 (FIN+PSH+URG) | Probing attack | 40 bytes | 64 bytes | Drop immediately as invalid/malicious. |
| SYN-FIN | 0x03 | Invalid combination | 40 bytes | 64 bytes | Drop immediately as invalid. |
| URG-ACK | 0x30 | Urgent data (rare) | 40 bytes | 64 bytes | Allow if rare, but monitor for anomalies. Note: URG is rarely used in modern applications. |
| ACK-PSH-URG | 0x38 | Data with urgent flag | 40–1500 bytes | 64–1518 bytes | Allow for specific use cases, but rate limit to prevent abuse. |
| SYN-RST | 0x06 | Invalid combination | 40 bytes | 64 bytes | Drop immediately as invalid. |
Notes:
- IP+TCP Payload Size: Includes 20 bytes IPv4 header + 20–40 bytes TCP header (with options like MSS or Window Scaling for SYN/SYN-ACK) + 0–1460 bytes data.
- Ethernet Frame Size: Includes 14 bytes Ethernet header + 4 bytes FCS. Minimum frame size is 64 bytes, maximum is 1518 bytes (without VLAN tagging).
- URG Flag: The URG flag is rarely used in modern protocols and should be closely monitored for potential misuse.
TCP 3-Way Handshake in Normal case
sequenceDiagram
participant Client
participant Server
Client->>Server: SYN
Note right of Server: Server receives SYN
Server-->>Client: SYN-ACK
Note left of Client: Client receives SYN-ACK
Client->>Server: ACK
Note right of Server: Connection established
TCP 3-Way Handshake with Mitigation
sequenceDiagram
participant Client
participant Server
Client->>Server: SYN (seq = x)
Note right of Server: Server receives SYN, generates SYN cookie<br>Cookie = hash(source IP, source port, dest IP, dest port, seq, timestamp)
Server-->>Client: SYN-ACK (seq = y, ack = x+1, cookie in seq)
Note left of Client: Client receives SYN-ACK
Client->>Server: ACK (seq = x+1, ack = y+1)
Note right of Server: Server validates cookie<br>If valid, reconstructs state and establishes connection and save the IP for auto whitelisting
Note right of Server: Connection established