ip contrack problem, not strictly followed RFC, DoS very much possible

From: Grzegorz Piotr Jaskiewicz
Date: Mon Dec 06 2004 - 08:56:58 EST


Hi list

There is little bug, eversince, no author would agree to correct it (dunno why) in ip_conntrack_proto_tcp.c:91:
unsigned long ip_ct_tcp_timeout_established = 5 DAYS;

Making it 5 days, makes linux router vournable to (D)DoS attacks. You can fill out conntrack hash tables very quickly, making it virtually dead. This computer will only respond to direct action, from keyboard, com port. This is insane, it just blocks it self, and does nothing, no fallback scenario, nothing.
As far as I remember ( I have to look and find exact place where it's writen ), RFC specifies this timeout as max 100s. 5 days is insane, and no argumentation will explain it. I would suggest changing it to 100 SECS and remove line:
#define DAYS * 24 HOURS

as it won't be used anymore.

If someone has argumentation for 5 days timeout, please speak out. In everyday life, router, desktop, server usage 100s is enough there, and makes my life easier, as many other linux admins.

Thanks.

--
GJ
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/