ipt_TCMSS.c -- A slight problem i'm having
Scott Knake
sknake at Apexsoftware.com
Mon Nov 1 17:50:37 CET 2004
/* Since it passed flags test in tcp match, we know it is is
not a fragment, and has data >= tcp header length. SYN
packets should not contain data: if they did, then we risk
running over MTU, sending Frag Needed and breaking things
badly. --RR */
if (tcplen != tcph->doff*4) {
if (net_ratelimit())
printk(KERN_ERR
"ipt_tcpmss_target: bad length (%d
bytes)\n",
(*pskb)->len);
return NF_DROP;
}
Feb 20 09:47:02 klogd: ipt_tcpmss_target: bad length (60 bytes)
Feb 20 09:47:07 klogd: ipt_tcpmss_target: bad length (60 bytes)
Feb 20 09:47:11 klogd: ipt_tcpmss_target: bad length (60 bytes)
(router date is wrong)
That is a little excerpt from ipt_TCMSS.c. The problem is that somebody
DoS'd me with syn Packets that contained data len(header) <!=
len(packet). I have a little ServGate SG100 router that handles my T1
connection. The router physically seized for the 5 minutes or so while
he packeted because of the amount of logging I'm guessing. How can I
block this with just an iptables ruleset? I'm trying not to limit the
incoming number of syn packets and I cant recompile netfilter since it
is running on a flavored kernel custom for the router. How am I going to
prevent this in the future?
More information about the netfilter
mailing list