From: Robert L Mathews <lists@tigertech.com>
To: netfilter@vger.kernel.org
Subject: Re: conntrack and RSTs received during CLOSE_WAIT
Date: Wed, 20 May 2009 13:24:22 -0700 [thread overview]
Message-ID: <4A1466F6.8070304@tigertech.com> (raw)
In-Reply-To: <alpine.DEB.2.00.0905200904310.10018@blackhole.kfki.hu>
Jozsef Kadlecsik wrote:
> No, you are correct.
Hmmm, okay. I must say I'm a little surprised by that. I've seen plenty
of people using connlimit and connbytes (for example) to protect against
all kinds of things, and I don't think it's widely known that it's
trivial for an attacker to bypass those restrictions.
Anyway, though:
>If you want to eliminate the possibility to bypass
> connlimit with properly crafted RST segments, probably you should use the
> recent match and count the created NEW connections.
My goal with connlimit is to limit simultaneous connections so that it
prevents a single client from using up all the Apache process slots.
However, I don't want to limit how many connections they can open in a
period of time.
For example, it's perfectly fine for someone to open, say, 500
connections per minute, as long as they don't open more than 40 at a
time. But I do need to block the 41st simultaneous connection even from
people who open up connections very slowly, such as someone who opens up
just five connections per hour and never closes them.
Is that something the "recent" feature can help with? I'm not seeing how
that's possible, but perhaps I'm missing something.
Thanks again for the help!
--
Robert L Mathews, Tiger Technologies http://www.tigertech.net/
next prev parent reply other threads:[~2009-05-20 20:24 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-15 22:10 conntrack and RSTs received during CLOSE_WAIT Robert L Mathews
2009-05-16 21:57 ` Jozsef Kadlecsik
2009-05-17 3:09 ` Robert L Mathews
2009-05-20 5:16 ` Robert L Mathews
2009-05-20 7:19 ` Jozsef Kadlecsik
2009-05-20 7:31 ` Philip Craig
2009-05-20 7:42 ` Jozsef Kadlecsik
2009-05-20 8:06 ` Philip Craig
2009-05-20 8:43 ` Jozsef Kadlecsik
2009-05-20 20:24 ` Robert L Mathews [this message]
2009-05-20 21:40 ` Jozsef Kadlecsik
2009-05-21 8:17 ` Anatoly Muliarski
2009-05-21 9:11 ` Jozsef Kadlecsik
2009-05-21 18:07 ` Robert L Mathews
2009-05-21 15:31 ` Jozsef Kadlecsik
2009-05-21 18:45 ` Robert L Mathews
2009-05-22 4:32 ` Anatoly Muliarski
2009-05-22 7:21 ` Jozsef Kadlecsik
2009-05-22 8:26 ` Anatoly Muliarski
2009-05-22 8:54 ` Jozsef Kadlecsik
2009-05-22 11:27 ` Jozsef Kadlecsik
2009-05-22 7:42 ` Jozsef Kadlecsik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A1466F6.8070304@tigertech.com \
--to=lists@tigertech.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.