Re: conntrack and RSTs received during CLOSE_WAIT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 19 May 2009, Robert L Mathews wrote:

> But I will mention that I'm surprised that this didn't generate more
> discussion. Unless I'm confused (which is possible), sending out-of-sequence
> RST packets appears to be a trivial way to bypass connlimit.
>
> It seems that all an attacker needs to do is send invalid RST packets with a
> sequence number one less than the last ACK received from the server. Then
> conntrack will forget about the connection, allowing the attacker to open as
> many connections as desired, regardless of connlimit limits.

Without TCP window tracking in conntrack, *any* RST segment (with proper 
src/dst ip/port, of course) would destroy the conntrack entry. With window 
tracking enabled (the default) we can maintain a window of the sequence 
numbers which are accepted and processed by conntrack. Due to the fact 
that the firewall sits in the middle and packets which have been seen by 
the firewall may get lost or even reordered in transit to the destination, 
it is inpossible to calculate the *exact* window sizes of the two end 
points. Therefore the window in conntrack wider and conntrack may process 
packets which otherwise are outside of the window of the receiver.
 
> I wrote a little perl script that I can leave running in the background on the
> client to send the necessary RST packets. In my testing, it does allow me to
> bypass connlimit restrictions on a server:
> 
>  http://www.tigertech.net/patches/rawip.pl
> 
> This seems to make connlimit less useful than I'd previously believed. Am I
> just misunderstanding something?

No, you are correct. If you want to eliminate the possibility to bypass 
connlimit with properly crafted RST segments, probably you should use the 
recent match and count the created NEW connections.

Best regards,
Jozsef
-
E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux