Re: conntrack and RSTs received during CLOSE_WAIT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I haven't received any more followups on this, so I'll try to hack some solution around the problem.

But I will mention that I'm surprised that this didn't generate more discussion. Unless I'm confused (which is possible), sending out-of-sequence RST packets appears to be a trivial way to bypass connlimit.

It seems that all an attacker needs to do is send invalid RST packets with a sequence number one less than the last ACK received from the server. Then conntrack will forget about the connection, allowing the attacker to open as many connections as desired, regardless of connlimit limits.

I wrote a little perl script that I can leave running in the background on the client to send the necessary RST packets. In my testing, it does allow me to bypass connlimit restrictions on a server:

 http://www.tigertech.net/patches/rawip.pl

This seems to make connlimit less useful than I'd previously believed. Am I just misunderstanding something?

--
Robert L Mathews, Tiger Technologies     http://www.tigertech.net/
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux