Denial of service attack against ip_conntrack ?
Sun, 9 Apr 2000 12:54:51 +0200
On Sun, Apr 09, 2000 at 01:27:05PM +1000, Rusty Russell wrote:
> Yep. Every new connection requires the allocation of some memory. We
> limit it (the messages you saw), to avoid running the machine out of
> memory entirely.
The problem is different - my testing show that connection record
is created even if I send packet with only FIN or ACK packet set.
In case of FIN or ACK (only), record with timeout 5 secs and state
CLOSE has been created...
> Not tracking connections which don't start with a SYN will defeat this
> particular attack, but not a related attack which uses SYN packets (or
> ping packets, or UDP packets).
Sure, but why do we need to track connection with unknown state?
In case if we see packet with only ACK bit set but did not know
anything about connection state, would it be better to DROP it?
In addition - I really do not think that we need unconditional
tracking of _all_ connections - in some cases it is not necessary
(just imagine two busy gateways/firewall - one is central and one
is behind it - but both are responsible for firewalling).
> I'm testing a patch now which introduces a more sophisticated form of
> DoS avoidance, which should prevent it from hitting the wall quite as
> suddenly (by definition, you will eventually lose).
No way - it cannot be done... Until we have table of connections, and
until there is no filtering on the other level (IPsec?) it is not
possible by definition - because it is too easy to send a lot of
Timeouts can help, but only in case of slow links, not on high-speed