What I'm trying to do is block RST attacks with IPTables.
When I do a search for it, I'm seeing rules where packets with the RST flag set is being rate limited.
I'm questioning it a little bit. I think I need to rate limit RST / ACK and not RST
If I'm not mistaken, when a client decides to abort an existing connection, a RST / ACK packet will be received by the server and the server responds with ACK and closes the connection.
So, normally a server never gets or sends out RST packets. I think it's always RST / ACK
Unless a client is being spoofed and the attacker inserts the RST flag.
But why would that close the connection ?
I'm probably wrong because I'm seeing it everywhere I look but I think an attacker needs to insert RST / ACK , is that not correct ?
Is a server not able to see the difference between RST / ACK and RST without ACK ?
RST is sent to signal an abnormal connection end. The normal signal to end a connection is FIN.
Both side of a TCP/IP connection can send them. The receiver side should answer with an ACK, so the sender know this is okay, else it will resend the signal again and again until timeout or until it receive an ACK.
If you filter the rate at which the server can receive RST, you don't have to filter on ACK, because he will only send ACK once for each RST.
And you don't have to filter received ACK because this is not the threat.
Because a server rarely receive RST in normal operation, it is usual to drop most of them.
When a real RST is sent by a foreign host, it have, say, 75% chance to be dropped. So the server never send an ACK. So the host send it again and again, until it pass the filter. So the server send the ACK and voila.
The RST signal used in the attack contain forged source IP address, in the intent to drop an existing connection. This attack was invented around 2003/2004. It is efficient only when the target have a big bandwidth because the attacker must try millions of ip addresses + sequence numbers for the attack to succeed.
Because the fake RST contain random ip address + random sequence number, limiting their rate is a way to reduce the chances one fake RST match a real connection.
So this attack is mostly used when the attacker know whom is connected to whom. Over a T1 line, when the attacker know exactly which source ip address to drop, the attack only take 5 to 30 seconds (if the line is totally free, else the attack take longer. For example if the line is 50% busy, the time is doubled). If you rate limit them, this can take much longer.