Tizian-Maxime-Weigt/TCP-Flag-Combinations
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
TCP-Flag-Combinations/README.md

51 lines
3.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# TCP Flags and Lengths
| Flag Combination | Flags Set (Hex) | Purpose | IP+TCP Payload Size | Ethernet Frame Size | XDP Filtering Logic |
|------------------|-----------------|---------|---------------------|---------------------|---------------------|
| SYN | 0x02 | Initiates connection | 4060 bytes | 6478 bytes | Rate limit SYN packets per source IP to prevent floods. Drop if rate exceeds threshold. Use SynProxy. |
| SYN-ACK | 0x12 | Acknowledges SYN | 4060 bytes | 6478 bytes | Validate against recent SYN requests using eBPF hash maps. Drop if no matching SYN. |
| ACK | 0x10 | Acknowledges data | 40 bytes | 64 bytes | Allow for established connections. Rate limit to prevent ACK floods. |
| PSH-ACK | 0x18 | Pushes data | 401500 bytes | 641518 bytes | Allow for data transfer. Rate limit large packets to prevent floods. Basic Connection tracking |
| FIN-ACK | 0x11 | Closes connection | 40 bytes | 64 bytes | Allow for connection closure. Drop if part of a FIN scan (no prior SYN). |
| RST | 0x04 | Resets connection | 40 bytes | 64 bytes | Allow for error handling. Drop if part of a reset attack (high rate from single IP). Basic Connection tracking |
| NULL | 0x00 | Invalid (no flags) | 40 bytes | 64 bytes | Drop immediately as invalid/malicious. |
| XMAS | 0x29 (FIN+PSH+URG) | Probing attack | 40 bytes | 64 bytes | Drop immediately as invalid/malicious. |
| SYN-FIN | 0x03 | Invalid combination | 40 bytes | 64 bytes | Drop immediately as invalid. |
| URG-ACK | 0x30 | Urgent data (rare) | 40 bytes | 64 bytes | Allow if rare, but monitor for anomalies. Note: URG is rarely used in modern applications. |
| ACK-PSH-URG | 0x38 | Data with urgent flag | 401500 bytes | 641518 bytes | Allow for specific use cases, but rate limit to prevent abuse. |
| SYN-RST | 0x06 | Invalid combination | 40 bytes | 64 bytes | Drop immediately as invalid. |
**Notes**:
- **IP+TCP Payload Size**: Includes 20 bytes IPv4 header + 2040 bytes TCP header (with options like MSS or Window Scaling for SYN/SYN-ACK) + 01460 bytes data.
- **Ethernet Frame Size**: Includes 14 bytes Ethernet header + 4 bytes FCS. Minimum frame size is 64 bytes, maximum is 1518 bytes (without VLAN tagging).
- **URG Flag**: The URG flag is rarely used in modern protocols and should be closely monitored for potential misuse.
# TCP 3-Way Handshake in Normal case
```mermaid
sequenceDiagram
participant Client
participant Server
Client->>Server: SYN
Note right of Server: Server receives SYN
Server-->>Client: SYN-ACK
Note left of Client: Client receives SYN-ACK
Client->>Server: ACK
Note right of Server: Connection established
```
# TCP 3-Way Handshake with Mitigation
```mermaid
sequenceDiagram
participant Client
participant Server
Client->>Server: SYN (seq = x)
Note right of Server: Server receives SYN, generates SYN cookie<br>Cookie = hash(source IP, source port, dest IP, dest port, seq, timestamp)
Server-->>Client: SYN-ACK (seq = y, ack = x+1, cookie in seq)
Note left of Client: Client receives SYN-ACK
Client->>Server: ACK (seq = x+1, ack = y+1)
Note right of Server: Server validates cookie<br>If valid, reconstructs state and establishes connection and save the IP for auto whitelisting
Note right of Server: Connection established
```
Reference in New Issue View Git Blame Copy Permalink