Re: linux kernel TCP, network connections and iptables

From: George Athanassopoulos (
Date: Thu Sep 07 2000 - 19:01:08 EST

On Fri, 8 Sep 2000, Andi Kleen wrote:

:If Linux stopped sending ACKs for out of order packets your machine would
:be pretty much unusable over lossy links (because fast retransmit would
:not work properly anymore) But that of course can be used
:to cause your machine to send at least an outgoing packet for each incoming

  Sending one outgoing packet for every incoming trash packet to an
  unused (non-listening) port with a non-lossy fast link, is bad.

:You don't need the patch as I pointed out, it can be all done from user space
:using tc
:But it'll only stop a single attack, but there are lots of other attacks

  Userspace handling is good but not best for such (I repeat) "weakness".

:It would probably be more useful to find out why an attack kills other
:systems on your net. I guess you have a fast internet connection (near
:your ethernet speed) and you're probably using half duplex ethernet,

  I have an 100Mbps full duplex switched LAN connected on a 12mbps ->
  on a 33Mbps -> Ten-155. When incoming flood from hundreds ip addresses
  occurs (some of them spoofed while 95% of them not spoofed) hitting
  unused TCP ports, my machine starts replying RSTs for every incoming
  packet so fast that almost all the way to ten-155 is flooded badly.
  Of course I can still communicate with machines on the same LAN, I
  can still communicate (with big lag) with neibhouring LANs but that's
  it, no further.
  With my quick-n-dirty "dynamic firewalling" (if I could call it that way)
  I put a blocking rule with ipfw for every incoming packet for some time
  (about 15 minutes) and I remove it after. That seems to work but does
  not seem optimal as it would be , let's say, iptables' RST handling but
  with option to check if the target port is already "used". Which it would
  be much faster.

George Athanassopoulos

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to Please read the FAQ at

This archive was generated by hypermail 2b29 : Thu Sep 07 2000 - 21:00:31 EST