SYN/ACK mystery



  • On my pfSense box 2.0.1 amd64 I enabled an NAT rule to an internal web server. In the correspondig firewall rule I added synproxy state in advanced options because of several what seem to be spoofed IP SYN flood attacks, where my server is used as SYN/ACK emmitter to the victim system.

    The RRD Graph looks like shown in the attachment.

    About 133 SYN packets from one host from two ports get blocked per second.
    There seems to be no response packets in the graph. In my understanding those packets should be no problem to modern OS, because TCP congestion mechanisms kick in, when no ACKs are received. The graph shows, that no responses get sent out.

    BUT, when I do an tcpdump and look at it in Wireshark i see, that pfSense sends out a SYN/ACK to exactly every SYN of that host. I can stop that with a rule blocking the SYn sending host. But that is no solution.

    So my question is, why do the outputs of RRD Graph and tcpdump differ? Packets get out thorugh NAT rules, firewall rules, tcpdump. So what I see in the dump is what is on the wire. Or am I wrong?

    Greetings, Judex


Log in to reply