problems in tcp connection tracking

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wednesday 02 October 2002 8:40 pm, pfy wrote:

> hi
> there sems to be a bug in tcp connection tracking: if a
> connection does NOT close with a RST, then the state of the
> connection rests ESTABLISHED.

I disagree.   Standard FIN-ACK packets close connections perfectly well.

> So if you put a rule up like this on a attacker machine:
> iptables -A OUTPUT --dst <victim> -p tcp --tcp-flags ALL, RST  -j DROP

Let's see, what does this rule do ?   On *my* machine (assuming I'm the 
attacker :-), it stops me sending RST (only) packets to the specific 
destination....

Now, why would my machine want to send a RST packet anyway ?

> and then connection flood the victim, the connection track table
> will overflow

Well, yes, this is pretty much the definition of a connection flood.   
Nothing to do with RST packets....
 

Have I misunderstood something significant here ?
 

Antony.

-- 

Anything that improbable is effectively impossible.

 - Murray Gell-Mann, Nobel Prizewinner in Physics



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux