Add seperated timeout for the connections that only receive packets in one direction

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Changli Gao <xiaosuo@gmail.com>
To: Patrick McHardy <kaber@trash.net>
Cc: netfilter-devel@vger.kernel.org, xiaosuo <xiaosuo@gmail.com>
Subject: Add seperated timeout for the connections that only receive packets in one direction
Date: Fri, 27 Nov 2009 17:09:11 +0800	[thread overview]
Message-ID: <4B0F9737.8050606@gmail.com> (raw)

Add seperated timeout for the connections that only receive packets in one direction.

If we use tcp_timeouts[TCP_CONNTRACK_ESTABLISHED] to timeout the connections that only receive packets in one direction, ACK flood attack with fake source address A will exhaust A's connection limit, and A is DoSed. After the attack is stopped, A can't recover quickly due to the large timeout value.

This patch adds a new timeout value: nf_ct_tcp_timeout_loose_unreply for this kind of connections. It can help A to recover quickly after the attack is over.

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
----
 nf_conntrack_proto_tcp.c |   19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 7eda8b8..471045a 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -70,6 +70,8 @@ static const char *const tcp_conntrack_names[] = {
 static unsigned int nf_ct_tcp_timeout_max_retrans __read_mostly    =   5 MINS;
 static unsigned int nf_ct_tcp_timeout_unacknowledged __read_mostly =   5 MINS;
 
+static unsigned int nf_ct_tcp_timeout_loose_unreply __read_mostly  =   30 SECS;
+
 static unsigned int tcp_timeouts[TCP_CONNTRACK_MAX] __read_mostly = {
 	[TCP_CONNTRACK_SYN_SENT]	= 2 MINS,
 	[TCP_CONNTRACK_SYN_RECV]	= 60 SECS,
@@ -1006,6 +1008,9 @@ static int tcp_packet(struct nf_conn *ct,
 			nf_ct_kill_acct(ct, ctinfo, skb);
 			return NF_ACCEPT;
 		}
+		if (new_state == TCP_CONNTRACK_ESTABLISHED &&
+		    timeout > nf_ct_tcp_timeout_loose_unreply)
+			timeout = nf_ct_tcp_timeout_loose_unreply;
 	} else if (!test_bit(IPS_ASSURED_BIT, &ct->status)
 		   && (old_state == TCP_CONNTRACK_SYN_RECV
 		       || old_state == TCP_CONNTRACK_ESTABLISHED)
@@ -1298,6 +1303,13 @@ static struct ctl_table tcp_sysctl_table[] = {
 		.proc_handler	= proc_dointvec,
 	},
 	{
+		.procname	= "nf_conntrack_tcp_timeout_loose_unreply",
+		.data		= &nf_ct_tcp_timeout_loose_unreply,
+		.maxlen		= sizeof(unsigned int),
+		.mode		= 0644,
+		.proc_handler	= proc_dointvec_jiffies,
+	},
+	{
 		.procname       = "nf_conntrack_tcp_be_liberal",
 		.data           = &nf_ct_tcp_be_liberal,
 		.maxlen         = sizeof(unsigned int),
@@ -1394,6 +1406,13 @@ static struct ctl_table tcp_compat_sysctl_table[] = {
 		.proc_handler	= proc_dointvec,
 	},
 	{
+		.procname	= "ip_conntrack_tcp_timeout_loose_unreply",
+		.data		= &nf_ct_tcp_timeout_loose_unreply,
+		.maxlen		= sizeof(unsigned int),
+		.mode		= 0644,
+		.proc_handler	= proc_dointvec_jiffies,
+	},
+	{
 		.procname	= "ip_conntrack_tcp_be_liberal",
 		.data		= &nf_ct_tcp_be_liberal,
 		.maxlen		= sizeof(unsigned int),

next             reply	other threads:[~2009-11-27  9:09 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-11-27  9:09 Changli Gao [this message]
2009-11-27  9:25 ` Add seperated timeout for the connections that only receive packets in one direction Jozsef Kadlecsik
2009-11-27  9:32   ` Changli Gao
2009-11-27  9:42     ` Jozsef Kadlecsik
2009-11-27  9:59       ` Changli Gao
2009-11-27 10:02         ` Patrick McHardy
2009-11-27 11:47           ` Patrick McHardy
2009-11-30  4:39             ` Changli Gao
2009-11-30 11:10               ` Patrick McHardy
2009-12-01  1:26                 ` Changli Gao
2009-12-01  9:14               ` Jozsef Kadlecsik
2009-12-01  9:29                 ` Changli Gao
2009-12-01  9:45                   ` Jozsef Kadlecsik

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:7eda8b8 dfblob:471045a )
 OR (
bs:"Add seperated timeout for the connections that only receive packets in one direction" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4B0F9737.8050606@gmail.com \
    --to=xiaosuo@gmail.com \
    --cc=kaber@trash.net \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.