Re: linux kernel TCP, network connections and iptables

From: George Athanassopoulos (athanas@real.macedonia.gr)
Date: Thu Sep 07 2000 - 19:01:08 EST

Next message: Aryeh \: "support for 2 Promise 66 Ultra cards"
Previous message: Peter Samuelson: "Re: 2.4.0-test8-pre1 is quite bad / how about integrating Rik's VM"
In reply to: Andi Kleen: "Re: linux kernel TCP, network connections and iptables"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 8 Sep 2000, Andi Kleen wrote:

:If Linux stopped sending ACKs for out of order packets your machine would
:be pretty much unusable over lossy links (because fast retransmit would
:not work properly anymore) But that of course can be used
:to cause your machine to send at least an outgoing packet for each incoming
:packet.

Sending one outgoing packet for every incoming trash packet to an
unused (non-listening) port with a non-lossy fast link, is bad.

:You don't need the patch as I pointed out, it can be all done from user space
:using tc
:But it'll only stop a single attack, but there are lots of other attacks
:possible.

Userspace handling is good but not best for such (I repeat) "weakness".

:
:It would probably be more useful to find out why an attack kills other
:systems on your net. I guess you have a fast internet connection (near
:your ethernet speed) and you're probably using half duplex ethernet,
:correct?
:
:-Andi
:

  I have an 100Mbps full duplex switched LAN connected on a 12mbps ->
  on a 33Mbps -> Ten-155. When incoming flood from hundreds ip addresses
  occurs (some of them spoofed while 95% of them not spoofed) hitting
  unused TCP ports, my machine starts replying RSTs for every incoming
  packet so fast that almost all the way to ten-155 is flooded badly.
  Of course I can still communicate with machines on the same LAN, I
  can still communicate (with big lag) with neibhouring LANs but that's
  it, no further.
  With my quick-n-dirty "dynamic firewalling" (if I could call it that way)
  I put a blocking rule with ipfw for every incoming packet for some time
  (about 15 minutes) and I remove it after. That seems to work but does
  not seem optimal as it would be , let's say, iptables' RST handling but
  with option to check if the target port is already "used". Which it would
  be much faster.

-- George Athanassopoulos http://www.real.macedonia.gr http://www.egnatia.ee.auth.gr

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org Please read the FAQ at http://www.tux.org/lkml/

Next message: Aryeh \: "support for 2 Promise 66 Ultra cards"
Previous message: Peter Samuelson: "Re: 2.4.0-test8-pre1 is quite bad / how about integrating Rik's VM"
In reply to: Andi Kleen: "Re: linux kernel TCP, network connections and iptables"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Thu Sep 07 2000 - 21:00:31 EST