Denial of service attack against ip_conntrack ?
Ulrich Eckhardt
Ulrich.Eckhardt@transcom.de
Wed, 19 Apr 2000 09:33:30 +0200
Rusty Russell wrote:
>
> In message <38FC10C0.6A7547E5@transcom.de> you write:
> > Hi,
> >
> > i have tested this suggestions with our firewall rules here against
> > the stream attack. But it doesn't help.
>
> Yes. You need my kernel patch (attached below: not completely tested
> yet) which doesn't track connections for dropped packets.
>
> I might recommend that others try this: it also fixes the counter
> memory leak (Yon Uriarte) and the REDIRECT stupidity (Patrick), and a
> lookup-on-fragment case. It also tries some Randomish Early Drop when
> congested.
>
> Should be against 2.3.99-pre6-3,
> Rusty.
Hi,
with this patch and using the --syn option it looks promising :-)
No "maximum limit of 6144 entries exceeded" messages and the
connection comes now back after the attack.
The only problem wich i have detected is, that on a machine
with a Pentium 166 wich is connected through a 10MB link
the system has a very high system load (nearly 100%). During this
time it was not possible to login into the machine via the console.
I think this high load is here the reason, that the other
network connections halts during this time.
But i think this is not a big problem since this machine should
later on runnig on a 128k line and bigger processors are cheap
if you have faster connections.
Uli
--
Ulrich Eckhardt Tr@nscom
http://www.uli-eckhardt.de http://www.transcom.de
Lagerstraße 11-15 A8
64807 Dieburg Germany