On Thu, 21 May 2009, Anatoly Muliarski wrote: > > Because connlimit/connbytes rely on conntrack, the latter should be > > "fixed". However I do not see any way to make it resistant against such > > attacks: if we shrink the window (by which alogrithm?) we may block valid > > RST segments and thus cause connections to hang instead of termination. > > I would like to put in some words. > Obviously the problem is in conntrack code. > IMHO, to solve this issue the code should track tcp sequence number > and check it correctness on receiving RST packet and on the following > decision about removing the conntrack entry. The TCP sequence numbers *are* tracked and checked - but with the limit of a node being in the middle of the two communicating endpoints. That limit is physical and cannot be discarded. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
