linux kernel TCP, network connections and iptables

From: George Athanassopoulos (athanas@real.macedonia.gr)
Date: Thu Sep 07 2000 - 09:56:17 EST


Hello,
I am not sure if this is the right list to point out some linux TCP
implementation "weakness" but I think that something should be done
first at the kernel level and after with any other way (firewalling etc).
The problem:
I am using 2.0.38 and I am receiving lots of DoS attacks on one of my
servers (used as ftp and irc server as well). A piece of tcpdump follows:
02:52:44.448067 213.11.1.241.1969 > 155.207.19.200.122: . ack 1247023010 win 655
35 (DF)
02:52:44.448067 155.207.19.200.122 > 213.11.1.241.1969: R 1247023010:1247023010(
0) win 0
02:52:44.448067 213.11.1.154.1695 > 155.207.19.200.123: . ack 1247023010 win 655
35 (DF)
02:52:44.448067 155.207.19.200.123 > 213.11.1.154.1695: R 1247023010:1247023010(
0) win 0
02:52:44.448067 213.11.37.32.1397 > 155.207.19.200.11: . ack 1628640333 win 6553
5 (DF)
02:52:44.448067 155.207.19.200.11 > 213.11.37.32.1397: R 1628640333:1628640333(0
) win 0

The DoS is caused by the machine itself since it floods out itself with RST
packets, since the machine replies to MANY repeated incoming ACK packets hitting
unused ports.

The questions:
- Could there be some kind of handling for such packets (meaning TCP packets
  reaching at an unused port with ACK bit set - with no previous SYN etc packet)
  to avoid such DoS attacks? Is the same happening to newer kernels? If yes,
  should we just eat it and shut up (because that's the way TCP works and it
  will not change)?
- To do something about the above DoS, I am raw monitoring every incoming packet
  and, for every incoming packet I receive with ACK bit set, I bind to that
  port and if it is used, then I let it pass or else I block it (for some
  random minutes) with ipfw. I tried to read /proc/net/tcp to find out which
  ports are used but that came out to be bad because if I read /proc/net/tcp
  too fast and many times per second, the load average goes really high.
  So, is there any way, any documentation about any system call or any
  more direct, faster kernel-way to get what /proc/net/tcp gives at any time?
  If yes, could you please direct me there?

  I haven't used iptables yet but I think they can handle packets with various
  bits sets (including RST), unlike ipfw. But, is there any way with iptables
  to know if a port is "used" or "unused" at any time? And if yes, at what
  state (listening, at the middle of a 3-way TCP handshaking etc) also?

Good day to all.

--
George Athanassopoulos

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Thu Sep 07 2000 - 21:00:30 EST