From: Robert L Mathews <lists@tigertech.com>
To: netfilter@vger.kernel.org
Subject: Re: conntrack and RSTs received during CLOSE_WAIT
Date: Tue, 19 May 2009 22:16:18 -0700 [thread overview]
Message-ID: <4A139222.2020505@tigertech.com> (raw)
In-Reply-To: <4A0F7FEE.3010405@tigertech.com>
I haven't received any more followups on this, so I'll try to hack some
solution around the problem.
But I will mention that I'm surprised that this didn't generate more
discussion. Unless I'm confused (which is possible), sending
out-of-sequence RST packets appears to be a trivial way to bypass connlimit.
It seems that all an attacker needs to do is send invalid RST packets
with a sequence number one less than the last ACK received from the
server. Then conntrack will forget about the connection, allowing the
attacker to open as many connections as desired, regardless of connlimit
limits.
I wrote a little perl script that I can leave running in the background
on the client to send the necessary RST packets. In my testing, it does
allow me to bypass connlimit restrictions on a server:
http://www.tigertech.net/patches/rawip.pl
This seems to make connlimit less useful than I'd previously believed.
Am I just misunderstanding something?
--
Robert L Mathews, Tiger Technologies http://www.tigertech.net/
next prev parent reply other threads:[~2009-05-20 5:16 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-15 22:10 conntrack and RSTs received during CLOSE_WAIT Robert L Mathews
2009-05-16 21:57 ` Jozsef Kadlecsik
2009-05-17 3:09 ` Robert L Mathews
2009-05-20 5:16 ` Robert L Mathews [this message]
2009-05-20 7:19 ` Jozsef Kadlecsik
2009-05-20 7:31 ` Philip Craig
2009-05-20 7:42 ` Jozsef Kadlecsik
2009-05-20 8:06 ` Philip Craig
2009-05-20 8:43 ` Jozsef Kadlecsik
2009-05-20 20:24 ` Robert L Mathews
2009-05-20 21:40 ` Jozsef Kadlecsik
2009-05-21 8:17 ` Anatoly Muliarski
2009-05-21 9:11 ` Jozsef Kadlecsik
2009-05-21 18:07 ` Robert L Mathews
2009-05-21 15:31 ` Jozsef Kadlecsik
2009-05-21 18:45 ` Robert L Mathews
2009-05-22 4:32 ` Anatoly Muliarski
2009-05-22 7:21 ` Jozsef Kadlecsik
2009-05-22 8:26 ` Anatoly Muliarski
2009-05-22 8:54 ` Jozsef Kadlecsik
2009-05-22 11:27 ` Jozsef Kadlecsik
2009-05-22 7:42 ` Jozsef Kadlecsik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A139222.2020505@tigertech.com \
--to=lists@tigertech.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.