TMW Shield XDP TCP Retransmission Filter
This XDP program detects SYN, SYN-ACK, and fragment flood attacks by tracking retransmissions and connection states. It dynamically switches between normal and attack modes to allow legitimate TCP handshakes while dropping suspicious packets.
How It Works
- Under normal conditions, new TCP SYN or SYN-ACK flows are immediately whitelisted and passed.
- During an attack, the first SYN/SYN-ACK packet is dropped and stored, allowing only retransmissions after 1 second to pass and be whitelisted.
- Whitelisted flows allow all packets; FIN/RST packets remove flows from the whitelist.
- IPv4/IPv6 fragmented packets are tracked per 350ms window. Above thresholds, fragments are dropped for 60 seconds.
Key Constants
- SYN threshold: 1500 SYNs/s
- SYN-ACK threshold: 10,000/s
- Fragment threshold: 10,000 per 350ms
- Retransmission wait: 1 second
- Whitelist timeout: 15 minutes
Maps Used
first_seen_v4/v6: Track first packets during attack per connectionwhitelist_v4/v6: Trusted connections with expirystats&attack_mode: Counters and attack statefrag_window_map: Fragment counts per time window
Packet Flow (Mermaid)
flowchart TD
A[Packet] --> B{Ethertype}
B -->|IPv4| C{Fragment?}
C -->|Yes| D[Count fragment]
D --> E{Fragment attack?}
E -->|Yes| F[Drop packet]
E -->|No| G{TCP?}
C -->|No| G
G -->|Yes| H[Process TCP handshake]
G -->|No| I[Pass packet]
B -->|IPv6| J{Fragment header?}
J -->|Yes| K[Count fragment]
K --> L{Fragment attack?}
L -->|Yes| F
L -->|No| M{TCP?}
J -->|No| M
M -->|Yes| N[Process TCP handshake]
M -->|No| I
Build & Load
clang -O2 -target bpf -c main.c -o main.o
ip link set dev eth0 xdp obj main.o sec xdp
This filter effectively mitigates SYN/SYN-ACK floods and fragment-based attacks by leveraging retransmission timing and connection whitelisting.