I haven't received any more followups on this, so I'll try to hack some
solution around the problem.
But I will mention that I'm surprised that this didn't generate more
discussion. Unless I'm confused (which is possible), sending
out-of-sequence RST packets appears to be a trivial way to bypass connlimit.
It seems that all an attacker needs to do is send invalid RST packets
with a sequence number one less than the last ACK received from the
server. Then conntrack will forget about the connection, allowing the
attacker to open as many connections as desired, regardless of connlimit
limits.
I wrote a little perl script that I can leave running in the background
on the client to send the necessary RST packets. In my testing, it does
allow me to bypass connlimit restrictions on a server:
http://www.tigertech.net/patches/rawip.pl
This seems to make connlimit less useful than I'd previously believed.
Am I just misunderstanding something?
--
Robert L Mathews, Tiger Technologies http://www.tigertech.net/
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html