Denial of service attack against ip_conntrack ?
Alexander Demenshin
aldem@aldem.net
Tue, 18 Apr 2000 10:53:55 +0200
On Tue, Apr 18, 2000 at 09:39:11AM +1000, Rusty Russell wrote:
> iptables -A FORWARD -i ppp0 -m state --state RELATED -j ACCEPT
>
> This one rule means that we need to track *all* traffic, to identify
> packets which are related to it. 8(
Hmm... Acceptance of RELATED connections should be based on
existing state entries, true? The same for ESTABLISHED
(in this case they should be created only if there were
some outgoing packets).
I mean that (for instance) if we see incoming packet with
only ACK/RST bin set and there is no state entry, we don't
need to create new entry.
Yes, we _do_ need track _all_ connections, but we _do not_
need to create new entries anyway (tracking itself is only
time consuming process, while creation of new entries is
good opportunity for DoS).
Just thoughts... :)
--Al