ipt_TCMSS.c -- A slight problem i'm having

All of lore.kernel.org
 help / color / mirror / Atom feed

* ipt_TCMSS.c -- A slight problem i'm having
@ 2004-11-01 16:50 Scott Knake
  2004-11-01 19:02 ` Jason Opperisano
  0 siblings, 1 reply; 2+ messages in thread
From: Scott Knake @ 2004-11-01 16:50 UTC (permalink / raw)
  To: netfilter

         /* Since it passed flags test in tcp match, we know it is is

            not a fragment, and has data >= tcp header length.  SYN

            packets should not contain data: if they did, then we risk

            running over MTU, sending Frag Needed and breaking things

            badly. --RR */

         if (tcplen != tcph->doff*4) {

                 if (net_ratelimit())

                         printk(KERN_ERR

                                "ipt_tcpmss_target: bad length (%d
bytes)\n",

                                (*pskb)->len);

                 return NF_DROP;

         }

Feb 20 09:47:02 klogd: ipt_tcpmss_target: bad length (60 bytes) 

Feb 20 09:47:07 klogd: ipt_tcpmss_target: bad length (60 bytes) 

Feb 20 09:47:11 klogd: ipt_tcpmss_target: bad length (60 bytes) 

(router date is wrong)

That is a little excerpt from ipt_TCMSS.c. The problem is that somebody
DoS'd me with syn Packets that contained data len(header) <!=
len(packet). I have a little ServGate SG100 router that handles my T1
connection. The router physically seized for the 5 minutes or so while
he packeted because of the amount of logging I'm guessing. How can I
block this with just an iptables ruleset? I'm trying not to limit the
incoming number of syn packets and I cant recompile netfilter since it
is running on a flavored kernel custom for the router. How am I going to
prevent this in the future?

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: ipt_TCMSS.c -- A slight problem i'm having
  2004-11-01 16:50 ipt_TCMSS.c -- A slight problem i'm having Scott Knake
@ 2004-11-01 19:02 ` Jason Opperisano
  0 siblings, 0 replies; 2+ messages in thread
From: Jason Opperisano @ 2004-11-01 19:02 UTC (permalink / raw)
  To: netfilter

On Mon, Nov 01, 2004 at 11:50:37AM -0500, Scott Knake wrote:
<snip>
> That is a little excerpt from ipt_TCMSS.c. The problem is that somebody
> DoS'd me with syn Packets that contained data len(header) <!=
> len(packet). I have a little ServGate SG100 router that handles my T1
> connection. The router physically seized for the 5 minutes or so while
> he packeted because of the amount of logging I'm guessing. How can I
> block this with just an iptables ruleset? I'm trying not to limit the
> incoming number of syn packets and I cant recompile netfilter since it
> is running on a flavored kernel custom for the router. How am I going to
> prevent this in the future?

  iptables -t mangle -I PREROUTING -i $external_if -p tcp --syn \
    -m length ! --length 60 -j DROP

-j

--
"I bet Einstein turned himself all sorts of colors before he invented
the light bulb."
        --The Simpsons


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2004-11-01 19:02 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-11-01 16:50 ipt_TCMSS.c -- A slight problem i'm having Scott Knake
2004-11-01 19:02 ` Jason Opperisano

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.