DoS by cat /proc/net/ip_conntrack ?

DoS by cat /proc/net/ip_conntrack ?

[Denys Fedoryshchenko]

Hi again

On loaded router
net.netfilter.nf_conntrack_count = 415633
passing about 100-150 Mbps
network cards 3xe100, 1xe1000e

i tried to issue command cat /proc/net/ip_conntrack |grep 'something'

Router went dead for about 2 minutes, even i disconnect ssh session. 
Ping was looks like this:
64 bytes from dotfib (10.184.184.1): icmp_seq=15 ttl=61 time=4321 ms
64 bytes from dotfib (10.184.184.1): icmp_seq=50 ttl=61 time=398 ms
64 bytes from dotfib (10.184.184.1): icmp_seq=122 ttl=61 time=15.3 ms
64 bytes from dotfib (10.184.184.1): icmp_seq=142 ttl=61 time=4452 ms
64 bytes from dotfib (10.184.184.1): icmp_seq=180 ttl=61 time=850 ms
(system recovered)
64 bytes from dotfib (10.184.184.1): icmp_seq=182 ttl=61 time=0.681 ms
64 bytes from dotfib (10.184.184.1): icmp_seq=183 ttl=61 time=0.936 ms
64 bytes from dotfib (10.184.184.1): icmp_seq=184 ttl=61 time=2.94 ms

I dont think it is normal, and such command taking a lot of system resources 
and cause whole system to hang.

Kernel 2.6.24.2

--
Denys Fedoryshchenko
Technical Manager
Virtual ISP S.A.L.

Re: DoS by cat /proc/net/ip_conntrack ?

[Krzysztof Oledzki]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1303 bytes --]



On Thu, 6 Mar 2008, Denys Fedoryshchenko wrote:

> Hi again
Hi,

> On loaded router
> net.netfilter.nf_conntrack_count = 415633
> passing about 100-150 Mbps
> network cards 3xe100, 1xe1000e
>
> i tried to issue command cat /proc/net/ip_conntrack |grep 'something'
>
> Router went dead for about 2 minutes, even i disconnect ssh session.
> Ping was looks like this:
> 64 bytes from dotfib (10.184.184.1): icmp_seq=15 ttl=61 time=4321 ms
> 64 bytes from dotfib (10.184.184.1): icmp_seq=50 ttl=61 time=398 ms
> 64 bytes from dotfib (10.184.184.1): icmp_seq=122 ttl=61 time=15.3 ms
> 64 bytes from dotfib (10.184.184.1): icmp_seq=142 ttl=61 time=4452 ms
> 64 bytes from dotfib (10.184.184.1): icmp_seq=180 ttl=61 time=850 ms
> (system recovered)
> 64 bytes from dotfib (10.184.184.1): icmp_seq=182 ttl=61 time=0.681 ms
> 64 bytes from dotfib (10.184.184.1): icmp_seq=183 ttl=61 time=0.936 ms
> 64 bytes from dotfib (10.184.184.1): icmp_seq=184 ttl=61 time=2.94 ms
>
> I dont think it is normal, and such command taking a lot of system resources
> and cause whole system to hang.
>
> Kernel 2.6.24.2

The answer is quite simple here: don't do this. Instead use "conntrack -L" 
as netlink is much more effective and better designed.

Best regards,

 				Krzysztof Olędzki

Re: DoS by cat /proc/net/ip_conntrack ?

[Jarek Poplawski]

Krzysztof Oledzki wrote, On 03/06/2008 02:51 PM:

> 
> On Thu, 6 Mar 2008, Denys Fedoryshchenko wrote:

...

>> i tried to issue command cat /proc/net/ip_conntrack |grep 'something'
>>
>> Router went dead for about 2 minutes, even i disconnect ssh session.
...
>> I dont think it is normal, and such command taking a lot of system resources
>> and cause whole system to hang.
>>
>> Kernel 2.6.24.2
> 
> The answer is quite simple here: don't do this. Instead use "conntrack -L" 
> as netlink is much more effective and better designed.


I think, Denys is concerned about some other, maybe too curious users
if they can read this?

Regards,
Jarek P.

Re: DoS by cat /proc/net/ip_conntrack ?

[Jarek Poplawski]

Jarek Poplawski wrote, On 03/08/2008 01:26 PM:
...

> I think, Denys is concerned about some other, maybe too curious users
> if they can read this?

OOPS! I see it's root only...

Then only their curiosity could be dangerous here!

Sorry,
Jarek P.

Re: DoS by cat /proc/net/ip_conntrack ?

[Denys Fedoryshchenko]

For me personally, i think must be as a rule, that _READING_ must not hang 
whole system by consuming all resources (router becoming completely 
unreachable and blocking all traffic passing thru it). It can hang console, 
current program, but not crash router.

On Sat, 08 Mar 2008 13:33:10 +0100, Jarek Poplawski wrote
> Jarek Poplawski wrote, On 03/08/2008 01:26 PM:
> ....
> 
> > I think, Denys is concerned about some other, maybe too curious users
> > if they can read this?
> 
> OOPS! I see it's root only...
> 
> Then only their curiosity could be dangerous here!
> 
> Sorry,
> Jarek P.
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


--
Denys Fedoryshchenko
Technical Manager
Virtual ISP S.A.L.

Re: DoS by cat /proc/net/ip_conntrack ?

[Jarek Poplawski]

On Sat, Mar 08, 2008 at 04:24:34PM +0200, Denys Fedoryshchenko wrote:
> For me personally, i think must be as a rule, that _READING_ must not hang 
> whole system by consuming all resources (router becoming completely 
> unreachable and blocking all traffic passing thru it). It can hang console, 
> current program, but not crash router.

IMHO you're right, and it's a bug. Only calling this DOS isn't probably
very right if only root can do this, but maybe I'm wrong.

Jarek P.

Re: DoS by cat /proc/net/ip_conntrack ?

[Patrick McHardy]

Jarek Poplawski wrote:
> On Sat, Mar 08, 2008 at 04:24:34PM +0200, Denys Fedoryshchenko wrote:
>   
>> For me personally, i think must be as a rule, that _READING_ must not hang 
>> whole system by consuming all resources (router becoming completely 
>> unreachable and blocking all traffic passing thru it). It can hang console, 
>> current program, but not crash router.
>>     
>
> IMHO you're right, and it's a bug. Only calling this DOS isn't probably
> very right if only root can do this, but maybe I'm wrong.
>   

Starting with current -git we don't take the conntrack
lock for /proc anymore, so it should behave better now.