Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Willy Tarreau <willy@w.ods.org>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: davem@davemloft.net, xschmi00@stud.feec.vutbr.cz,
	alastair@unixtrix.com, linux-kernel@vger.kernel.org,
	netdev@oss.sgi.com
Subject: Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)
Date: Mon, 13 Jun 2005 08:17:48 +0200	[thread overview]
Message-ID: <20050613061748.GA13144@alpha.home.local> (raw)
In-Reply-To: <20050613052404.GA7611@gondor.apana.org.au>

On Mon, Jun 13, 2005 at 03:24:04PM +1000, Herbert Xu wrote:
> On Mon, Jun 13, 2005 at 07:21:48AM +0200, Willy Tarreau wrote:
> > 
> > > A much better place to do that is netfilter.  If you do it there
> > > then not only will your protect all Linux machines from this attack,
> > > but you'll also protect all the other BSD-derived TCP stacks.
> > 
> > Netfilter already blocks simultaneous connection. A SYN in return to
> > a SYN produces an INVALID state.
> 
> Any reason why that isn't enough?

I don't think there are a lot of people who load ip_conntrack and insert
a single DROP rule on their servers just to workaround weaknesses in the
TCP stack. If they did, they would not be more confident into netfilter
either because it would be logical to expect the same reasoning (eg: let's
not fix XX here, TCP will catch it).

What's the problem with the sysctl ? If you prefer, I can change the patch
to keep the feature enabled by default so that only people aware of the
problem have to fix it by hand. But I found it better the other way : people
who need the feature enable it by hand.

Cheers,
willy

next prev parent reply	other threads:[~2005-06-13  6:18 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-06-09 20:51 BUG: Unusual TCP Connect() results Alastair Poole
2005-06-10  2:23 ` [OT] " Kyle Moffett
2005-06-10 13:24   ` Alastair Poole
2005-06-10 15:28 ` Michal Schmidt
2005-06-10 16:55   ` Alastair Poole
2005-06-10 16:06     ` Michal Schmidt
2005-06-10 22:26       ` Willy TARREAU
2005-06-10 22:38         ` Willy Tarreau
2005-06-10 22:42         ` David S. Miller
2005-06-11  6:24           ` Willy TARREAU
     [not found]             ` <20050611074350.GD28759@alpha.home.local>
2005-06-11 19:32               ` [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.) Herbert Xu
2005-06-11 19:51                 ` Willy Tarreau
2005-06-12  8:13                   ` Herbert Xu
2005-06-12  8:34                     ` Willy Tarreau
2005-06-12 10:30                       ` Herbert Xu
2005-06-12 11:40                         ` Willy Tarreau
2005-06-12 12:06                           ` Herbert Xu
2005-06-12 12:22                             ` Thomas Graf
2005-06-12 13:16                               ` Herbert Xu
2005-06-12 12:32                             ` Willy Tarreau
2005-06-12 13:13                               ` Herbert Xu
2005-06-12 13:33                                 ` Herbert Xu
2005-06-12 13:47                                   ` Willy Tarreau
2005-06-12 13:50                                     ` Herbert Xu
2005-06-12 14:24                                       ` Willy Tarreau
2005-06-13  4:48                                         ` Herbert Xu
2005-06-13  5:21                                           ` Willy Tarreau
2005-06-13  5:24                                             ` Herbert Xu
2005-06-13  6:17                                               ` Willy Tarreau [this message]
2005-06-13  7:45                                                 ` Herbert Xu
2005-06-13  8:10                                                   ` Willy Tarreau
2005-06-13 20:57                                                     ` [PATCH] fix small DoS on connect() David S. Miller
2005-06-12 13:36                                 ` [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.) Willy Tarreau
2005-06-12 14:44                                   ` Thomas Graf
2005-06-12 15:02                                     ` Willy Tarreau
2005-06-12 17:10               ` Denis Vlasenko
2005-06-12 17:36                 ` Willy Tarreau
2005-06-12 17:47                   ` Denis Vlasenko
2005-06-12 18:14                     ` Willy Tarreau
2005-06-13  2:04                       ` Valdis.Kletnieks
2005-06-11 15:34         ` BUG: Unusual TCP Connect() results Alastair Poole
2005-06-11 14:38           ` Willy Tarreau

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20050613061748.GA13144@alpha.home.local \
    --to=willy@w.ods.org \
    --cc=alastair@unixtrix.com \
    --cc=davem@davemloft.net \
    --cc=herbert@gondor.apana.org.au \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@oss.sgi.com \
    --cc=xschmi00@stud.feec.vutbr.cz \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox