ip contrack problem, not strictly followed RFC, DoS very much possible

From: Grzegorz Piotr Jaskiewicz (gj_at_pointblue.com.pl)
Date: 12/06/04

  • Next message: Bartlomiej Zolnierkiewicz: "Re: 2.6.9 slows down everything" 
    Date:	Mon, 06 Dec 2004 14:54:59 +0100
To: kernel list <linux-kernel@vger.kernel.org>

    Hi list

    There is little bug, eversince, no author would agree to correct it
    (dunno why) in ip_conntrack_proto_tcp.c:91:
    unsigned long ip_ct_tcp_timeout_established = 5 DAYS;

    Making it 5 days, makes linux router vournable to (D)DoS attacks. You
    can fill out conntrack hash tables very quickly, making it virtually
    dead. This computer will only respond to direct action, from keyboard,
    com port. This is insane, it just blocks it self, and does nothing, no
    fallback scenario, nothing.
    As far as I remember ( I have to look and find exact place where it's
    writen ), RFC specifies this timeout as max 100s. 5 days is insane, and
    no argumentation will explain it. I would suggest changing it to 100
    SECS and remove line:
    #define DAYS * 24 HOURS

    as it won't be used anymore.

    If someone has argumentation for 5 days timeout, please speak out. In
    everyday life, router, desktop, server usage 100s is enough there, and
    makes my life easier, as many other linux admins.

    Thanks. 

    -- 
GJ
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/
  • Next message: Bartlomiej Zolnierkiewicz: "Re: 2.6.9 slows down everything"

    Relevant Pages