Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Wed, 15 Nov 2000 18:25:02 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Wed, 15 Nov 2000 18:24:52 -0500 Received: from warande3094.warande.uu.nl ([131.211.123.94]:24149 "EHLO xar.sliepen.oi") by vger.kernel.org with ESMTP id ; Wed, 15 Nov 2000 18:24:39 -0500 Date: Wed, 15 Nov 2000 23:54:34 +0100 From: Guus Sliepen To: netfilter@us5.samba.org Cc: linux-kernel@vger.kernel.org Subject: Re: (iptables) ip_conntrack bug? Message-ID: <20001115235433.M13682@sliepen.warande.net> Mail-Followup-To: Guus Sliepen , netfilter@lists.samba.org, linux-kernel@vger.kernel.org In-Reply-To: <20001115154603.D4089@psuedomode> <20001115221922.L13682@sliepen.warande.net> <20001115163450.E4089@psuedomode> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="k2+Bt23KD9VIuFWa" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001115163450.E4089@psuedomode>; from safemode@voicenet.com on Wed, Nov 15, 2000 at 04:34:50PM -0500 X-oi: oi Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org --k2+Bt23KD9VIuFWa Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 15, 2000 at 04:34:50PM -0500, safemode wrote: > On Wed, 15 Nov 2000 16:19:23 Guus Sliepen wrote: > > On Wed, Nov 15, 2000 at 03:46:03PM -0500, safemode wrote: > >=20 > > > I was DDoS'd today while away and came home to find the firewall unab= le > > to > > > do anything network related (although my connection to irc was still > > > working oddly). a quick dmesg showed the problem. > > > ip_conntrack: maximum limit of 2048 entries exceeded > > [...] > >=20 > > I have also seen this happen on a box which ran test9. Apparently becau= se > > of > > it's long uptime, because the logs should no signs of an attack. safemode and I discussed this and we tried to find an answer in the kernel source. However, the chain of called functions is too long to determine whe= re exactly the problem is. But most likely, because init_conntrack() can fail (because it cannot free an entry, which is either because netfilter does not dare to throw out entries with large timeouts (tcp connections have ridicul= ous long timeouts btw, almost 2.3 days?!) or because IPS_CONFIRMED is not set),= and this failure is propagating back all the way to the tcp code, so that no new sockets can be opened. =46rom our point of view, the conntrack stuff should be totally transparent= to the tcp/ip stack. Since this allows for a DoS attack, might be wise to fix this before 2.4 comes out... ------------------------------------------- Met vriendelijke groet / with kind regards, Guus Sliepen ------------------------------------------- See also: http://tinc.nl.linux.org/ http://www.kernelbench.org/ ------------------------------------------- --k2+Bt23KD9VIuFWa Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6ExQpAxLow12M2nsRApB7AKCnhSkFPqYSgqfMgVSz7i50bdzdMACgiNEz AXf2fDEkUKXi0V4HGFJVioQ= =KCnX -----END PGP SIGNATURE----- --k2+Bt23KD9VIuFWa-- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org Please read the FAQ at http://www.tux.org/lkml/