TCP Anomaly Filter
The filter blocks anomalous TCP segments โ suspicious or invalid packets โ according to RFC rules and additional heuristics.
Default Behavior๐
By default, the filter is disabled.
You can enable basic traffic filtering by simply defining the filter:
xfw {
tcp_anomaly_filter;
}
The following packets are always blocked by the filter:
- RFC-prohibited TCP flag combinations:
SYN+FIN,SYN+RST,FIN+RST. - TCP packets with zero source or destination port.
SYN without Options๐
Checks whether a SYN packet contains TCP options and drops it if none are present:
xfw {
tcp_anomaly_filter syn_without_opt;
}
SYN with Payload๐
Checks whether a SYN packet contains payload data and drops it if it does:
xfw {
tcp_anomaly_filter syn_with_payload;
}
SYN with Specific Sequence Number๐
You can specify a sequence number for SYN packets that should be dropped. It is recommended to drop packets with a zero sequence number. You can also specify any other valid sequence number in the range [0, 4294967295]:
xfw {
tcp_anomaly_filter syn_with_seqno=0;
}
Bad Flags Filtration๐
Enabling this option allows blocking an extended list of suspicious TCP flag combinations:
xfw {
tcp_anomaly_filter bad_flags;
}
or
xfw {
tcp_anomaly_filter bad_flags();
}
The following packets are blocked:
FINonly (FIN scan);0/ no flags set (NULL scan);FIN+PSH+URG(XMAS scan) โ all supersets are also considered suspicious;SYN+PSHโ all supersets are also considered suspicious;SYN+URGโ all supersets are also considered suspicious;RST+PSHโ all supersets are also considered suspicious;RST+URGโ all supersets are also considered suspicious.
You can also define your own set of bad flags. In this case, the default set is skipped:
xfw {
tcp_anomaly_filter bad_flags(0, SYN+PSH);
}
Available flag values:
| Value | Description |
|---|---|
0 |
TCP segment with no flags set |
SYN, ACK, FIN, RST, PSH, URG, ECE, CWR |
Individual TCP flags |
Flags can be combined using +. Multiple combinations are separated by commas.
xfw {
tcp_anomaly_filter bad_flags(0, SYN+PSH, SYN+FIN, SYN+FIN+RST);
}
Turning Off the Filter๐
You can disable the filter with the following command:
xfw {
tcp_anomaly_filter/del;
}
Combining Different Options๐
You can enable multiple checks at once, including custom bad flag rules:
xfw {
tcp_anomaly_filter syn_without_opt syn_with_payload syn_with_seqno=0 bad_flags(0,SYN+PSH);
}
Statistics๐
Some anomalies may not appear in the statistics because a packet is accounted for only by the first matching rule. For example, a packet with both invalid TCP flags and a zero port will be filtered and counted only under the zero-port rule.