netdev
[Top] [All Lists]

Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect

To: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)
From: Willy Tarreau <willy@xxxxxxxxx>
Date: Mon, 13 Jun 2005 08:17:48 +0200
Cc: davem@xxxxxxxxxxxxx, xschmi00@xxxxxxxxxxxxxxxxxx, alastair@xxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, netdev@xxxxxxxxxxx
In-reply-to: <20050613052404.GA7611@xxxxxxxxxxxxxxxxxxx>
References: <20050612120627.GA5858@xxxxxxxxxxxxxxxxxxx> <20050612123253.GK28759@xxxxxxxxxxxxxxxx> <20050612131323.GA10188@xxxxxxxxxxxxxxxxxxx> <20050612133349.GA6279@xxxxxxxxxxxxxxxxxxx> <20050612134725.GB8951@xxxxxxxxxxxxxxxx> <20050612135018.GA10910@xxxxxxxxxxxxxxxxxxx> <20050612142401.GA10772@xxxxxxxxxxxxxxxx> <20050613044810.GA32103@xxxxxxxxxxxxxxxxxxx> <20050613052148.GF8907@xxxxxxxxxxxxxxxx> <20050613052404.GA7611@xxxxxxxxxxxxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mutt/1.4i
On Mon, Jun 13, 2005 at 03:24:04PM +1000, Herbert Xu wrote:
> On Mon, Jun 13, 2005 at 07:21:48AM +0200, Willy Tarreau wrote:
> > 
> > > A much better place to do that is netfilter.  If you do it there
> > > then not only will your protect all Linux machines from this attack,
> > > but you'll also protect all the other BSD-derived TCP stacks.
> > 
> > Netfilter already blocks simultaneous connection. A SYN in return to
> > a SYN produces an INVALID state.
> 
> Any reason why that isn't enough?

I don't think there are a lot of people who load ip_conntrack and insert
a single DROP rule on their servers just to workaround weaknesses in the
TCP stack. If they did, they would not be more confident into netfilter
either because it would be logical to expect the same reasoning (eg: let's
not fix XX here, TCP will catch it).

What's the problem with the sysctl ? If you prefer, I can change the patch
to keep the feature enabled by default so that only people aware of the
problem have to fix it by hand. But I found it better the other way : people
who need the feature enable it by hand.

Cheers,
willy


<Prev in Thread] Current Thread [Next in Thread>