Denial of service attack against ip_conntrack ?
Rusty Russell
rusty@linuxcare.com.au
Wed, 19 Apr 2000 20:01:24 +0930
In message <20000418105355.A737@aldem.net> you write:
> On Tue, Apr 18, 2000 at 09:39:11AM +1000, Rusty Russell wrote:
> I mean that (for instance) if we see incoming packet with
> only ACK/RST bin set and there is no state entry, we don't
> need to create new entry.
Hi Alexander!
The old masq/port-forward accepts these, to try to give some
consistency across reboots. In a theoretically perfect world, we
could ignore it, but allowing them saves this case sometimes, making
people happoier 8)
> Yes, we _do_ need track _all_ connections, but we _do not_
> need to create new entries anyway (tracking itself is only
> time consuming process, while creation of new entries is
> good opportunity for DoS).
Unfortunately, even just allowing SYN to start a connection still
gives an opportunity for DoS (although it would stop stream.c of
course). Hence the attempt to come up with other things which work
for the SYN flood case as well.
> Just thoughts... :)
And good ones, too. The DoS problem is *hard*, and I'm very glad to
see it discussed; there have been some excellent ideas passed around
on and off the list about it.
Thanks,
Rusty.
--
Hacking time.