From dc8fe710406545ac192d0e8bb51abce922e51a50 Mon Sep 17 00:00:00 2001
From: Tizian Maxime Weigt <tizian-maxime.weigt@t-w.dev>
Date: Tue, 29 Apr 2025 09:29:47 +0000
Subject: [PATCH] Dateien nach "/" hochladen

---
 TCP Flag Combinations for XDP Filtering.markdown | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 TCP Flag Combinations for XDP Filtering.markdown

diff --git a/TCP Flag Combinations for XDP Filtering.markdown b/TCP Flag Combinations for XDP Filtering.markdown
new file mode 100644
index 0000000..1fd1170
--- /dev/null
+++ b/TCP Flag Combinations for XDP Filtering.markdown	
@@ -0,0 +1,14 @@
+| Flag Combination | Flags Set (Hex) | Purpose | IP+TCP Payload Size | Ethernet Frame Size | XDP Filtering Logic |
+|------------------|-----------------|---------|---------------------|---------------------|---------------------|
+| SYN | 0x02 | Initiates connection | 40–59 bytes | 64–77 bytes | Rate limit SYN packets per source IP to prevent floods. Drop if rate exceeds threshold. |
+| SYN-ACK | 0x12 | Acknowledges SYN | 40–59 bytes | 64–77 bytes | Validate against recent SYN requests using eBPF maps. Drop if no matching SYN. |
+| ACK | 0x10 | Acknowledges data | 40 bytes | 64 bytes | Allow for established connections. Rate limit to prevent ACK floods. |
+| PSH-ACK | 0x18 | Pushes data | 40–1500 bytes | 64–1518 bytes | Allow for data transfer. Rate limit large packets to prevent floods. |
+| FIN-ACK | 0x11 | Closes connection | 40 bytes | 64 bytes | Allow for connection closure. Drop if part of a FIN scan (no prior SYN). |
+| RST | 0x04 | Resets connection | 40 bytes | 64 bytes | Allow for error handling. Drop if part of a reset attack (high rate from single IP). |
+| NULL | 0x00 | Invalid (no flags) | 40 bytes | 64 bytes | Drop immediately as invalid/malicious. |
+| XMAS | 0x29 (FIN+PSH+URG) | Probing attack | 40 bytes | 64 bytes | Drop immediately as invalid/malicious. |
+| SYN-FIN | 0x03 | Invalid combination | 40 bytes | 64 bytes | Drop immediately as invalid. |
+| URG-ACK | 0x30 | Urgent data (rare) | 40 bytes | 64 bytes | Allow if rare, but monitor for anomalies. |
+| ACK-PSH-URG | 0x38 | Data with urgent flag | 40–1500 bytes | 64–1518 bytes | Allow for specific use cases, but rate limit to prevent abuse. |
+| SYN-RST | 0x06 | Invalid combination | 40 bytes | 64 bytes | Drop immediately as invalid. |
\ No newline at end of file