* TCP Reset to destination instead of source.
@ 2007-07-13 13:55 Adam Hasselbalch Hansen
2007-07-13 14:22 ` Bill Rugolsky Jr.
0 siblings, 1 reply; 3+ messages in thread
From: Adam Hasselbalch Hansen @ 2007-07-13 13:55 UTC (permalink / raw)
To: netfilter-devel
Hi.
Suppose someone connects to, say, port 80, and an Apache thread handles
the connection. Now, httpd expects a couple of new-line terminated
lines, before it begins figuring out whether this connection sends a
valid HTTP-request or not. The problem is that this particular client
never sends a newline, since he expects something different than an
HTTP-server handling his request (because he is a moron and don't know
how to configure his particular software to not use port 80). Suppose
that these requests are pretty frequent, and actually takes a bit of
resources from the system, since they leave a lot of httpds hanging
around, waiting for something which never happens.
Now, we would like to filter out these particular requests. Problem is,
we can't recognize them until after they've SYN/ACK'ed with httpd (at
which point, the originating IP is blacklisted). However, in order to
free the httpd-threads in question, since they're just hanging around
waiting for a newline which never comes, it could be nice to send them a
TCP_RESET, whenever we filter and blacklists one of these requests. So
my question is this:
Is this, to begin with, a reasonable solution?
And, supposing it is, would the way to do it not simply just being to
add a --reject-with-option, which calls the reject-code, only without
swapping source and destination? And would this simply be adding a
suitable option-line in libipt_REJECT.c, an 'if' in send_reset in
ipt_REJECT.c, handling whether or not the src/dst-swapping sould occur,
and obviously extend the enum in ipt_REJECT.h?
Thoughts are appreciated.
Adam
P.S. If you need further elaboration, please say so. :)
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: TCP Reset to destination instead of source.
2007-07-13 13:55 TCP Reset to destination instead of source Adam Hasselbalch Hansen
@ 2007-07-13 14:22 ` Bill Rugolsky Jr.
2007-07-13 14:27 ` Adam Hasselbalch Hansen
0 siblings, 1 reply; 3+ messages in thread
From: Bill Rugolsky Jr. @ 2007-07-13 14:22 UTC (permalink / raw)
To: Adam Hasselbalch Hansen; +Cc: netfilter-devel
> Thoughts are appreciated.
http://www.lowth.com/cutter/
Summary
Network security administrators sometimes need to be able to abort
TCP/IP connections routed over their firewalls on demand. This would
allow them to terminate connections such as SSH tunnels or VPNs left
in place by employees over night, abort hacker attacks when they are
detected, stop high bandwidth consuming downloads - etc. There are many
potential applications.
This article describes how a Linux IPTables based firewall/router can
be used to send the right combination of TCP/IP packets to both ends of
a connection to cause them to abort the conversation. It describes the
steps required to perform this task, and introduces a new open-source
utility called "cutter" that automates the process.
...
Regards,
Bill Rugolsky
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-07-13 14:27 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-07-13 13:55 TCP Reset to destination instead of source Adam Hasselbalch Hansen
2007-07-13 14:22 ` Bill Rugolsky Jr.
2007-07-13 14:27 ` Adam Hasselbalch Hansen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.