Re: (iptables) ip_conntrack bug?

From: safemode (safemode@voicenet.com)
Date: Wed Nov 15 2000 - 16:34:50 EST

Next message: Eric Reischer: "vfat problems"
Previous message: H. Peter Anvin: "Re: test11-pre5, Athlon, and Machine Check Architecture"
In reply to: Guus Sliepen: "Re: (iptables) ip_conntrack bug?"
Next in thread: Guus Sliepen: "Re: (iptables) ip_conntrack bug?"
Reply: Guus Sliepen: "Re: (iptables) ip_conntrack bug?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 15 Nov 2000 16:19:23 Guus Sliepen wrote:
> On Wed, Nov 15, 2000 at 03:46:03PM -0500, safemode wrote:
>
> > I was DDoS'd today while away and came home to find the firewall unable
> to
> > do anything network related (although my connection to irc was still
> > working oddly). a quick dmesg showed the problem.
> > ip_conntrack: maximum limit of 2048 entries exceeded
> [...]
>
> I have also seen this happen on a box which ran test9. Apparently because
> of
> it's long uptime, because the logs should no signs of an attack.
>
> I guess conntrack forgets to flush some entries? Or maybe there is no way
> it can
> recover from a full conntrack table? Is it maybe necessary to make the
> maximum
> size a configurable option? Or a userspace conntrack daemon like the
> arpd?

I think something is wrong if the ip_conntrack module does not
flush it's table after the connections and all that stop. I understand why
it does this during the attack...but it doesn't make sense why these tables
are kept long after. A userspace tool is not something i think is needed,
this piece of code should be in the module, it is either not correctly
coded or missing entirely.

> I also see a lot of messages like this (on all 2.4 test kernels):
>
> NAT: 0 dropping untracked packet c00643f0 1 131.211.122.89 -> 224.0.0.2
> NAT: 0 dropping untracked packet c05468e0 1 131.211.122.89 -> 224.0.0.2
> NAT: 0 dropping untracked packet c0064760 1 131.211.122.31 -> 224.0.0.2
>
> Turning of multicast on the respective network interface does not stop
> these
> messages, but anyway they seem rather annoying to me :)

Everyone has seen that :) ... that's not exactly what i was talking about
the main error message i was worried about was the "ip_conntrack: maximum
limit of 2048 entries exceeded" when there was absolutely not traffic
coming in and the attack was long since over. I think this is a fairly
major bug with the module since it made the firewall inoperable until i
reloaded the module.. this DDoS could be repeated on any linux box that is
not babysat 24/7 it seems. My firewall drops everything so all the
attacker needs to do is get a bunch of sources to send packets (specific?
not sure) rapidly enough to fill the ip_conntrack table and your site
becomes offline. any other ideas?

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Next message: Eric Reischer: "vfat problems"
Previous message: H. Peter Anvin: "Re: test11-pre5, Athlon, and Machine Check Architecture"
In reply to: Guus Sliepen: "Re: (iptables) ip_conntrack bug?"
Next in thread: Guus Sliepen: "Re: (iptables) ip_conntrack bug?"
Reply: Guus Sliepen: "Re: (iptables) ip_conntrack bug?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Wed Nov 15 2000 - 21:00:29 EST