Re: conntrack and RSTs received during CLOSE_WAIT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



[Cc-ing netfilter-devel]

On Wed, 20 May 2009, Robert L Mathews wrote:

> > It seems that all an attacker needs to do is send invalid RST packets 
> > with a sequence number one less than the last ACK received from the 
> > server. Then conntrack will forget about the connection, allowing the 
> > attacker to open as many connections as desired, regardless of 
> > connlimit limits.
> >
> > I wrote a little perl script that I can leave running in the 
> > background on the client to send the necessary RST packets. In my 
> > testing, it does allow me to bypass connlimit restrictions on a 
> > server:
> > 
> >  http://www.tigertech.net/patches/rawip.pl
> > 
> > This seems to make connlimit less useful than I'd previously believed. 
> > Am I just misunderstanding something?
> 
> > No, you are correct.
> 
> Hmmm, okay. I must say I'm a little surprised by that. I've seen plenty 
> of people using connlimit and connbytes (for example) to protect against 
> all kinds of things, and I don't think it's widely known that it's 
> trivial for an attacker to bypass those restrictions.

I think because it is *not* widely known. The credit is yours for 
discovering how to bypass connlimit/connbytes.
 
> > If you want to eliminate the possibility to bypass connlimit with 
> > properly crafted RST segments, probably you should use the recent 
> > match and count the created NEW connections.
> 
> My goal with connlimit is to limit simultaneous connections so that it
> prevents a single client from using up all the Apache process slots.
> 
> However, I don't want to limit how many connections they can open in a 
> period of time.
> 
> For example, it's perfectly fine for someone to open, say, 500 
> connections per minute, as long as they don't open more than 40 at a 
> time. But I do need to block the 41st simultaneous connection even from 
> people who open up connections very slowly, such as someone who opens up 
> just five connections per hour and never closes them.
> 
> Is that something the "recent" feature can help with? I'm not seeing how
> that's possible, but perhaps I'm missing something.

No, that's not possible with "recent".

Because connlimit/connbytes rely on conntrack, the latter should be 
"fixed". However I do not see any way to make it resistant against such 
attacks: if we shrink the window (by which alogrithm?) we may block valid 
RST segments and thus cause connections to hang instead of termination.

Best regards,
Jozsef
-
E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux