I am not sure if this is the right list to point out some linux TCP
implementation "weakness" but I think that something should be done
first at the kernel level and after with any other way (firewalling etc).
I am using 2.0.38 and I am receiving lots of DoS attacks on one of my
servers (used as ftp and irc server as well). A piece of tcpdump follows:
02:52:44.448067 184.108.40.206.1969 > 220.127.116.11.122: . ack 1247023010 win 655
02:52:44.448067 18.104.22.168.122 > 22.214.171.124.1969: R 1247023010:1247023010(
0) win 0
02:52:44.448067 126.96.36.199.1695 > 188.8.131.52.123: . ack 1247023010 win 655
02:52:44.448067 184.108.40.206.123 > 220.127.116.11.1695: R 1247023010:1247023010(
0) win 0
02:52:44.448067 18.104.22.168.1397 > 22.214.171.124.11: . ack 1628640333 win 6553
02:52:44.448067 126.96.36.199.11 > 188.8.131.52.1397: R 1628640333:1628640333(0
) win 0
The DoS is caused by the machine itself since it floods out itself with RST
packets, since the machine replies to MANY repeated incoming ACK packets hitting
- Could there be some kind of handling for such packets (meaning TCP packets
reaching at an unused port with ACK bit set - with no previous SYN etc packet)
to avoid such DoS attacks? Is the same happening to newer kernels? If yes,
should we just eat it and shut up (because that's the way TCP works and it
will not change)?
- To do something about the above DoS, I am raw monitoring every incoming packet
and, for every incoming packet I receive with ACK bit set, I bind to that
port and if it is used, then I let it pass or else I block it (for some
random minutes) with ipfw. I tried to read /proc/net/tcp to find out which
ports are used but that came out to be bad because if I read /proc/net/tcp
too fast and many times per second, the load average goes really high.
So, is there any way, any documentation about any system call or any
more direct, faster kernel-way to get what /proc/net/tcp gives at any time?
If yes, could you please direct me there?
I haven't used iptables yet but I think they can handle packets with various
bits sets (including RST), unlike ipfw. But, is there any way with iptables
to know if a port is "used" or "unused" at any time? And if yes, at what
state (listening, at the middle of a 3-way TCP handshaking etc) also?
Good day to all.
-- George Athanassopoulos
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to email@example.com Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Sep 07 2000 - 21:00:30 EST