Denial of service attack against ip_conntrack ?
Fri, 7 Apr 2000 17:41:49 +0200
On Sat, Apr 08, 2000 at 12:04:08AM +1000, Soeren Eyhusen wrote:
> This is not correct. The third step is only ACK, not SYN+ACK.
OK, sorry :) It does not matter, in fact - we are discussing why
ACKs (without prior established connection) confuse conntrack...
> determine connection-requests. But when you send an ACK-packet, the firewall
> in most cases doesn't drop the packet and forwards it to the client.
In case of conntrack, it should be dropped (if connection was not
> The client respones with an RST and so the scanner knows there's someone listening...
No really true - RST will be sent in any case - even if port is not in use.