Closed mxmkeep closed 8 months ago
no, in the current version no such mechanism in the SYN.
For example, the client adds a special tcp option into SYN packet, and the server checks it. If it does not match, do not reply SYN-ACK, just drop it to avoid the port being scanned.
Is there an existing software that has implemented this feature? I wonder how practical it is
problems that might arise in this method:
Is there an existing software that has implemented this feature?
No, but there are similar ones, such as TOA(tcp option address) feature originated from LVS full-nat mode, then commonly used to bypass client real ip for proxy project. https://github.com/ucloud/ucloud-toa
- how is the compatibility ofspecial tcp option
Yes, the tcp option may be drop or replaced by the cloud vendor, depending on the choice of option code
- even if this is implemented. How to prevent replay attack of the SYN packet without synchronized clock?
It just add one more checking logic when receive SYN packet, if this logic be bypassed, the orignal checking logic of program is still in effect.
One of the purposes of using the UDP protocol is service hiding(avoiding port scanning), which using SPA(Single Packet Authorization) mechanism. So can udp2raw support SPA? For example, the client adds a specical tcp option into SYN packet, and the server checks it. If it does not match, do not reply SYN-ACK, just drop it to avoid the port being scanned.