Denial of service attack against ip_conntrack ?
Ulrich Eckhardt
Ulrich.Eckhardt@transcom.de
Thu, 06 Apr 2000 15:43:43 +0200
Hi,
i have played today with ip_tables 1.0.0 on kernel
2.3.99-pre3-ac2 and nessus. It looks like the stream.c
denial of service attack works against the ip_conntrack
module in some way.
I got several messages like
ip_conntrack: maximum limit of 6144 entries exceeded
and the whole networking on this machine stops completely.
I have the increased this limit via the /proc interface
up to 16000 but the networking stops also.
Is this really a denial of service attack or can i increase
this limits as high as i want (how much memory consumes such
an entry ) ?
Regards
Uli
--
Ulrich Eckhardt Tr@nscom
http://people.frankfurt.netsurf.de/uli http://www.transcom.de
Lagerstraße 11-15 A8
64807 Dieburg Germany