Denial of service attack against ip_conntrack ?

[Alexander Demenshin]

On Sat, Apr 08, 2000 at 12:04:08AM +1000, Soeren Eyhusen wrote:

> This is not correct. The third step is only ACK, not SYN+ACK.

  OK, sorry :) It does not matter, in fact - we are discussing why
  ACKs (without prior established connection) confuse conntrack...
  
> determine connection-requests. But when you send an ACK-packet, the firewall
> in most cases doesn't drop the packet and forwards it to the client.

  In case of conntrack, it should be dropped (if connection was not
  established before).

> The client respones with an RST and so the scanner knows there's someone listening...

  No really true - RST will be sent in any case - even if port is not in use.

--Al