Re: ip contrack problem, not strictly followed RFC, DoS very much possible

From: Valdis . Kletnieks
Date: Mon Dec 06 2004 - 14:49:54 EST

Next message: William Lee Irwin III: "Re: 2.6.9 slows down everything"
Previous message: Takashi Iwai: "Re: [Alsa-devel] Re: [2.6 patch] ALSA: misc cleanups"
In reply to: Lee Revell: "Re: ip contrack problem, not strictly followed RFC, DoS very muchpossible"
Next in thread: gj: "Re: ip contrack problem, not strictly followed RFC, DoS very much possible"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 06 Dec 2004 14:54:59 +0100, Grzegorz Piotr Jaskiewicz said:

> There is little bug, eversince, no author would agree to correct it
> (dunno why) in ip_conntrack_proto_tcp.c:91:
> unsigned long ip_ct_tcp_timeout_established = 5 DAYS;

If you so desire, you can probably workaround this by doing:

echo 100 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established

Of course, then if you don't type in an SSH window for 5 minutes, it evaporates
on you - and even SSH keepalives don't help if a router takes a nose dive and
it takes 2 minutes for our NOC to slap it upside the head. This is a case
*against* keepalives there - if a router hiccups and drops a keepalive on an
otherwise idle session, you nuke a perfectly good idle session for reasons
totally contrary to the original purpose of TCP, namely to *survive* such a
router burp.

Attachment: pgp00000.pgp
Description: PGP signature

Next message: William Lee Irwin III: "Re: 2.6.9 slows down everything"
Previous message: Takashi Iwai: "Re: [Alsa-devel] Re: [2.6 patch] ALSA: misc cleanups"
In reply to: Lee Revell: "Re: ip contrack problem, not strictly followed RFC, DoS very muchpossible"
Next in thread: gj: "Re: ip contrack problem, not strictly followed RFC, DoS very much possible"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]