Tizian-Maxime-Weigt/TCP-Flag-Combinations
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

README.md aktualisiert

Browse Source
This commit is contained in:
Tizian Maxime Weigt 2025-05-29 23:56:12 +00:00
parent 542c077fa5
commit fbece2f9b4
1 changed files with 11 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
README.md
View File

@ -1,9 +1,9 @@
# TCP lengths and flags # TCP Flags and Lengths
| Flag Combination | Flags Set (Hex) | Purpose | IP+TCP Payload Size | Ethernet Frame Size | XDP Filtering Logic | | Flag Combination | Flags Set (Hex) | Purpose | IP+TCP Payload Size | Ethernet Frame Size | XDP Filtering Logic |
|------------------|-----------------|---------|---------------------|---------------------|---------------------| |------------------|-----------------|---------|---------------------|---------------------|---------------------|
| SYN | 0x02 | Initiates connection | 4059 bytes | 6477 bytes | Rate limit SYN packets per source IP to prevent floods. Drop if rate exceeds threshold. SynProxy | | SYN | 0x02 | Initiates connection | 4060 bytes | 6478 bytes | Rate limit SYN packets per source IP to prevent floods. Drop if rate exceeds threshold. Use SynProxy. |
| SYN-ACK | 0x12 | Acknowledges SYN | 4059 bytes | 6477 bytes | Validate against recent SYN requests using eBPF maps. Drop if no matching SYN. | | SYN-ACK | 0x12 | Acknowledges SYN | 4060 bytes | 6478 bytes | Validate against recent SYN requests using eBPF hash maps. Drop if no matching SYN. |
| ACK | 0x10 | Acknowledges data | 40 bytes | 64 bytes | Allow for established connections. Rate limit to prevent ACK floods. | | ACK | 0x10 | Acknowledges data | 40 bytes | 64 bytes | Allow for established connections. Rate limit to prevent ACK floods. |
| PSH-ACK | 0x18 | Pushes data | 401500 bytes | 641518 bytes | Allow for data transfer. Rate limit large packets to prevent floods. | | PSH-ACK | 0x18 | Pushes data | 401500 bytes | 641518 bytes | Allow for data transfer. Rate limit large packets to prevent floods. |
| FIN-ACK | 0x11 | Closes connection | 40 bytes | 64 bytes | Allow for connection closure. Drop if part of a FIN scan (no prior SYN). | | FIN-ACK | 0x11 | Closes connection | 40 bytes | 64 bytes | Allow for connection closure. Drop if part of a FIN scan (no prior SYN). |
@ -11,13 +11,19 @@
| NULL | 0x00 | Invalid (no flags) | 40 bytes | 64 bytes | Drop immediately as invalid/malicious. | | NULL | 0x00 | Invalid (no flags) | 40 bytes | 64 bytes | Drop immediately as invalid/malicious. |
| XMAS | 0x29 (FIN+PSH+URG) | Probing attack | 40 bytes | 64 bytes | Drop immediately as invalid/malicious. | | XMAS | 0x29 (FIN+PSH+URG) | Probing attack | 40 bytes | 64 bytes | Drop immediately as invalid/malicious. |
| SYN-FIN | 0x03 | Invalid combination | 40 bytes | 64 bytes | Drop immediately as invalid. | | SYN-FIN | 0x03 | Invalid combination | 40 bytes | 64 bytes | Drop immediately as invalid. |
| URG-ACK | 0x30 | Urgent data (rare) | 40 bytes | 64 bytes | Allow if rare, but monitor for anomalies. | | URG-ACK | 0x30 | Urgent data (rare) | 40 bytes | 64 bytes | Allow if rare, but monitor for anomalies. Note: URG is rarely used in modern applications. |
| ACK-PSH-URG | 0x38 | Data with urgent flag | 401500 bytes | 641518 bytes | Allow for specific use cases, but rate limit to prevent abuse. | | ACK-PSH-URG | 0x38 | Data with urgent flag | 401500 bytes | 641518 bytes | Allow for specific use cases, but rate limit to prevent abuse. |
| SYN-RST | 0x06 | Invalid combination | 40 bytes | 64 bytes | Drop immediately as invalid. | | SYN-RST | 0x06 | Invalid combination | 40 bytes | 64 bytes | Drop immediately as invalid. |
**Notes**:
- **IP+TCP Payload Size**: Includes 20 bytes IPv4 header + 2040 bytes TCP header (with options like MSS or Window Scaling for SYN/SYN-ACK) + 01460 bytes data.
- **Ethernet Frame Size**: Includes 14 bytes Ethernet header + 4 bytes FCS. Minimum frame size is 64 bytes, maximum is 1518 bytes (without VLAN tagging).
- **URG Flag**: The URG flag is rarely used in modern protocols and should be closely monitored for potential misuse.
# TCP 3-Way Handshake # TCP 3-Way Handshake
```mermaid ```mermaid
sequenceDiagram
participant Client participant Client
participant Server participant Server
@ -27,4 +33,3 @@
Note left of Client: Client receives SYN-ACK Note left of Client: Client receives SYN-ACK
Client->>Server: ACK Client->>Server: ACK
Note right of Server: Connection established Note right of Server: Connection established
```