Denial of service attack against ip_conntrack ?

[Rusty Russell]

In message <38EC948F.626C52A3@transcom.de> you write:
> Hi,
> 
> i have played today with ip_tables 1.0.0 on kernel
> 2.3.99-pre3-ac2 and nessus. It looks like the stream.c
> denial of service attack works against the ip_conntrack
> module in some way.

Yep.  Every new connection requires the allocation of some memory.  We
limit it (the messages you saw), to avoid running the machine out of
memory entirely.

Not tracking connections which don't start with a SYN will defeat this
particular attack, but not a related attack which uses SYN packets (or
ping packets, or UDP packets).

I'm testing a patch now which introduces a more sophisticated form of
DoS avoidance, which should prevent it from hitting the wall quite as
suddenly (by definition, you will eventually lose).

Instead of a single high-watermark, we introduce a low-watermark
(where we start speeding up connection timeouts), and a
medium-watermark (where we start dropping them more aggressively), the
high-watermark where no new connections get handed out.

> I got several messages like 
> ip_conntrack: maximum limit of 6144 entries exceeded 
> 
> and the whole networking on this machine stops completely.

Established connections should still be fine, though.  Only new
connections cannot be created.

Rusty.
--
Hacking time.