Re: [netfilter-core] ip contrack problem, not strictly followed RFC,DoS very much possible

[Jozsef Kadlecsik]

Hi,

On Mon, 6 Dec 2004, Grzegorz Piotr Jaskiewicz wrote:

> Making it 5 days, makes linux router vournable to (D)DoS attacks. You
> can fill out conntrack hash tables very quickly, making it virtually
> dead. This computer will only respond to direct action, from keyboard,
> com port. This is insane, it just blocks it self, and does nothing, no
> fallback scenario, nothing.

The default hash size is computed very modestly from the size of the
available physical RAM of the machine. If the table fills up too fast,
then increase the hashsize when loading in the ip_conntrack module.
And/or add more RAM to the machine.  And/or setup rate-limiting in the raw
table, before packets hit conntrack itself.

But you are right, we should give more help to overcome disasters. For
example we could search more aggressively for unreplied (i.e droppable)
connections when the table is full, so releasing resources for new
connections (jenkins hash is too good :-). We could also introduce
"reserved conntrack entries", which could be occupied by specific
connections only, to make possible the remote management even when
otherwise the table is full. Just some coding is required :-).

Best regards,
Jozsef
-
E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/