From: Grzegorz Piotr Jaskiewicz <gj@pointblue.com.pl>
To: kernel list <linux-kernel@vger.kernel.org>
Cc: coreteam@netfilter.org
Subject: ip contrack problem, not strictly followed RFC, DoS very much possible
Date: Mon, 06 Dec 2004 14:54:59 +0100 [thread overview]
Message-ID: <41B464B3.8020807@pointblue.com.pl> (raw)
Hi list
There is little bug, eversince, no author would agree to correct it
(dunno why) in ip_conntrack_proto_tcp.c:91:
unsigned long ip_ct_tcp_timeout_established = 5 DAYS;
Making it 5 days, makes linux router vournable to (D)DoS attacks. You
can fill out conntrack hash tables very quickly, making it virtually
dead. This computer will only respond to direct action, from keyboard,
com port. This is insane, it just blocks it self, and does nothing, no
fallback scenario, nothing.
As far as I remember ( I have to look and find exact place where it's
writen ), RFC specifies this timeout as max 100s. 5 days is insane, and
no argumentation will explain it. I would suggest changing it to 100
SECS and remove line:
#define DAYS * 24 HOURS
as it won't be used anymore.
If someone has argumentation for 5 days timeout, please speak out. In
everyday life, router, desktop, server usage 100s is enough there, and
makes my life easier, as many other linux admins.
Thanks.
--
GJ
next reply other threads:[~2004-12-06 13:56 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-06 13:54 Grzegorz Piotr Jaskiewicz [this message]
2004-12-06 14:28 ` ip contrack problem, not strictly followed RFC, DoS very much possible Baruch Even
2004-12-06 19:11 ` Jose Luis Domingo Lopez
2004-12-06 19:31 ` Lee Revell
2004-12-06 19:48 ` Valdis.Kletnieks
2004-12-06 22:20 ` gj
2004-12-06 22:48 ` Willy Tarreau
2004-12-07 8:56 ` [netfilter-core] " Jozsef Kadlecsik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41B464B3.8020807@pointblue.com.pl \
--to=gj@pointblue.com.pl \
--cc=coreteam@netfilter.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox