Denial of service attack against ip_conntrack ?

[Alexander Demenshin]

On Sun, Apr 09, 2000 at 01:27:05PM +1000, Rusty Russell wrote:

> Yep.  Every new connection requires the allocation of some memory.  We
> limit it (the messages you saw), to avoid running the machine out of
> memory entirely.

  The problem is different - my testing show that connection record
  is created even if I send packet with only FIN or ACK packet set.
  
  In case of FIN or ACK (only), record with timeout 5 secs and state
  CLOSE has been created...

> Not tracking connections which don't start with a SYN will defeat this
> particular attack, but not a related attack which uses SYN packets (or
> ping packets, or UDP packets).

  Sure, but why do we need to track connection with unknown state?
  In case if we see packet with only ACK bit set but did not know
  anything about connection state, would it be better to DROP it?
  
  In addition - I really do not think that we need unconditional
  tracking of _all_ connections - in some cases it is not necessary
  (just imagine two busy gateways/firewall - one is central and one
  is behind it - but both are responsible for firewalling).

> I'm testing a patch now which introduces a more sophisticated form of
> DoS avoidance, which should prevent it from hitting the wall quite as
> suddenly (by definition, you will eventually lose).

  No way - it cannot be done... Until we have table of connections, and
  until there is no filtering on the other level (IPsec?) it is not
  possible by definition - because it is too easy to send a lot of
  SYN packets...
  
  Timeouts can help, but only in case of slow links, not on high-speed
  links...
  
/Al