On Wed, Nov 15, 2000 at 04:34:50PM -0500, safemode wrote:
> On Wed, 15 Nov 2000 16:19:23 Guus Sliepen wrote:
> > On Wed, Nov 15, 2000 at 03:46:03PM -0500, safemode wrote:
> >
> > > I was DDoS'd today while away and came home to find the firewall unable
> > to
> > > do anything network related (although my connection to irc was still
> > > working oddly). a quick dmesg showed the problem.
> > > ip_conntrack: maximum limit of 2048 entries exceeded
> > [...]
> >
> > I have also seen this happen on a box which ran test9. Apparently because
> > of
> > it's long uptime, because the logs should no signs of an attack.
safemode and I discussed this and we tried to find an answer in the kernel
source. However, the chain of called functions is too long to determine where
exactly the problem is. But most likely, because init_conntrack() can fail
(because it cannot free an entry, which is either because netfilter does not
dare to throw out entries with large timeouts (tcp connections have ridiculous
long timeouts btw, almost 2.3 days?!) or because IPS_CONFIRMED is not set), and
this failure is propagating back all the way to the tcp code, so that no new
sockets can be opened.
From our point of view, the conntrack stuff should be totally transparent to the
tcp/ip stack. Since this allows for a DoS attack, might be wise to fix this
before 2.4 comes out...
-------------------------------------------
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus@sliepen.warande.net>
-------------------------------------------
See also: http://tinc.nl.linux.org/
http://www.kernelbench.org/
-------------------------------------------
This archive was generated by hypermail 2b29 : Wed Nov 15 2000 - 21:00:29 EST