Skip to content
Fetching contributors…
Cannot retrieve contributors at this time
24 lines (18 sloc) 837 Bytes

Workaround to block connections with low MSSs


For a Linux instance, use iptables module tcpmss to set a range of TCP MSS values to reject. An attacker using a small (in this example < 500) MSS will drop the TCP SYN packets. This will block connection establishment and block the attack.


The equivalent of the above, for ip6tables.


Outputs tc commands to install a bpf ingress filter, as for above TCP SYN packets are dropped.


Used by tc-bytecode to invoke tcpdump(8) with a rule set to detect a TCP-SYN packet header with a MSS option in any possition that request a small MSS.


The output from tc-bytcode, copy/paste to a sudo'd shell to install a tc ingress filter for small MSS.

You can’t perform that action at this time.