Denial of service attack against ip_conntrack ?

Jozsef Kadlecsik kadlec@blackhole.kfki.hu
Tue, 18 Apr 2000 13:14:43 +0200 (CEST) 

On Tue, 18 Apr 2000, Rusty Russell wrote:

> In message <Pine.LNX.4.10.10004141142330.32024-100000@blackhole.kfki.hu> you wr
> ite:
> > It is not only the DoS attack. The other side of the problem is that ACK
> > scannings cannot be prevented with the current TCP conntrack model as
> > well.
> 
> Huh?  If you're not letting any connections in:
> 
> 	iptables -A FORWARD -i ppp0 -m state --state ESTABLISHED,RELATED \
> 		-j ACCEPT
> 
> If you are:
> 
> 	iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp --syn \
> 		-j ACCEPT

But then one cannot let the connections in question in (the firewall died
and we don't want to loose the already established connections). The
connection triggered by the ACK packet is flagged as NEW, but no SYN
flag in the packet.

> Precisely.  Consider the following rule:
> 
> 	iptables -A FORWARD -i ppp0 -m state --state RELATED -j ACCEPT
> 
> This one rule means that we need to track *all* traffic, to identify
> packets which are related to it. 8(

If conntrack generation could be delayed after packet filtering!
However, it seems to me too complicated to have two conntrack mechanisms,
one for sytems with NAT and one for pure packet filters. 

> > - What about fine grained watermarks? Netfilter's infrastructure suggests
> >   it: conntrack table, with which one can control the number of 
> >   connections per source/destination (/protocol?). (Some kind of wildcard
> >   notation would be quite exciting: "any C network may have only x
> >   parallel connections/sec".)
> 
> Hmmm... interesting.  That could be done by an iptables module which
> kept track of the numbers of connections.  It wouldn't be *trivial*,
> but it would certainly be possible.  In my new patch, you drop the
> packet which creates a connection, the connection is destroyed.  This
> means you still spend cycles, but the desired effect would be
> attained.

conntrack knows about every new entry creations/deletions, isn't it.
What about a conntrack table (iptables -t conntrack)? Wouldn't it be
simpler?

Regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
WWW-Home: http://www.kfki.hu/~kadlec
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary