ip contrack problem, not strictly followed RFC, DoS very much possible
From: Grzegorz Piotr Jaskiewicz
Date: Mon Dec 06 2004 - 08:56:58 EST
Hi list
There is little bug, eversince, no author would agree to correct it
(dunno why) in ip_conntrack_proto_tcp.c:91:
unsigned long ip_ct_tcp_timeout_established = 5 DAYS;
Making it 5 days, makes linux router vournable to (D)DoS attacks. You
can fill out conntrack hash tables very quickly, making it virtually
dead. This computer will only respond to direct action, from keyboard,
com port. This is insane, it just blocks it self, and does nothing, no
fallback scenario, nothing.
As far as I remember ( I have to look and find exact place where it's
writen ), RFC specifies this timeout as max 100s. 5 days is insane, and
no argumentation will explain it. I would suggest changing it to 100
SECS and remove line:
#define DAYS * 24 HOURS
as it won't be used anymore.
If someone has argumentation for 5 days timeout, please speak out. In
everyday life, router, desktop, server usage 100s is enough there, and
makes my life easier, as many other linux admins.
Thanks.
--
GJ
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/