Re: 2.0.36: ip_masqurade and stealth scan DoS

Yu Guanghui (ygh@rose.dlut.edu.cn)
Tue, 9 Mar 1999 16:42:38 +0800 (CST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Martin Mares: "Re: PATCH [dj2] feature-list"
Previous message: Thierry Danis: "Re: NFS client performance 1.5 orders of magnitude too slow?"

This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.

--1992972354-1714422613-920968958=:18162
Content-Type: TEXT/PLAIN; charset=iso-8859-1
Content-Transfer-Encoding: 8BIT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have meet the seem problem.I wrote a little perl script to monit
the TCP_CONNECT count.When I found sb. use the scan program, I
disconnect he network connection about 10 mins.

I attech it to you.Hope this script can be useful to you.

BTW: I　modified the include/net/ip_masq.h ---> the prots number that
ip_msaq can use.(defalut is 4k): I have change it to:
#define PORT_MASQ_BEGIN 41000
#define PORT_MASQ_END (PORT_MASQ_BEGIN+16384)

And I changed the net/ipv4/ip_masq.c too.There was a
#define IP_MASQ_TAB_SIZE 8192 ( I change it to 8192).

yours saka

_ _
// Yu Guanghui /> Network Center \
// ygh@rose.dlut.edu.cn // Dalian Univ. of Tech. //
\> http://banyan.dlut.edu.cn/~ygh </ China </

On Mon, 8 Mar 1999, Daniel Ryde wrote:

> Hi,
>
> We have a problem with ip_masqurading set up as a firewall. When someone
> runs a stealth scan from the masquraded net to the outside net, it will
> very fast consume all available masqurade ports. The result is a nasty
> DoS for all adresses on the masquraded net.
>
> Is there any possibly limit on masqurade ports per source adress?
> This would effectively stop the scan, and limit the DoS to the offender
> only.
>
> I guess this problem also affects 2.2 kernels as well.
>
> Is there anyone else that has been hit by this problem?
>
>
> Best Regards
>
> Daniel Ryde, System Administrator
> __________________________________________________________________________
> Tripnet AB Visit Address: Telephone: +46 31 7252500
> Box 5071 Avagen 42 Facsimile: +46 31 7252501
> S-402 22 GOTEBORG GOTEBORG Email: ryde@tripnet.se
> Sweden Sweden
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.rutgers.edu
> Please read the FAQ at http://www.tux.org/lkml/
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v0.9.1 (GNU/Linux)
Comment: Made with PGP4Pine

iD8DBQE25N8EfO4+kLYAZ4MRAny9AJ9wkDi0Wui/1m4JgCiqKjQokvzzrQCfeQX9
QLRsqhcNrlMB3I0u1GGJIMs=
=nhC8
-----END PGP SIGNATURE-----

--1992972354-1714422613-920968958=:18162
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="mon.pl"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.10.9903091642381.18162@linden.dlut.edu.cn>
Content-Description:
Content-Disposition: attachment; filename="mon.pl"

IyEvdXNyL2Jpbi9wZXJsDQoNCm9wZW4oTE9HLCAiPi92YXIvbG9nL3Byb3h5
aHQubG9nIik7DQpzZWxlY3QoTE9HKTsNCndoaWxlKDEpew0KDQoNCkBJcExp
c3Q9KCk7DQogDQpvcGVuKG1hc3EsIi9wcm9jL25ldC9pcF9tYXNxdWVyYWRl
Iil8fCBkaWUgIkNhbnQgb3BlbiAvcHJvYy9uZXQvaXBfbWFzcXVlcmFkZTok
IVxuIjsNCg0Kd2hpbGUoPG1hc3E+KXsNCgkoJFByYywkRnJvbSwkVG8sJE1h
c3EsJEluaXRzZXEsJERlbHRhLCRQRGVsdGEsJEV4cGlyZXMpPXNwbGl0KC8g
Lyk7DQoJaWYoICRQcmM9fi9UQ1AvKXsNCgkJKCRGcm9tSVAsJEZQcnQpPXNw
bGl0KC86LywkRnJvbSk7DQoJfQ0KCQ0KCWlmKCRJUHRhYnskRnJvbUlQfSBl
cSAiIil7DQoJCSRJUHRhYnskRnJvbUlQfT0xOw0KCX1lbHNlew0KCQkkSVB0
YWJ7JEZyb21JUH0rKzsNCgl9DQp9DQoNCg0Kd2hpbGUgKCgkSVAsICRjb3Vu
dCkgPSBlYWNoKCVJUHRhYikpIHsNCglpZigkY291bnQgPjEwMCApew0KCQkk
YXNjaXA9YWRkcl9pbmV0KGhleCgkSVApKTsNCgkJDQoJCSRub3dfdGltZT1s
b2NhbHRpbWU7DQoJCSRJcExpc3RDbnR7JGFzY2lwfSA9IDAgdW5sZXNzIGRl
ZmluZWQgKCAkSXBMaXN0Q250eyRhc2NpcH0pOw0KCX0NCn0NCg0Kd2hpbGUg
KCgkSVAsJGNvdW50KSA9IGVhY2ggKCVJcExpc3RDbnQpKQ0Kew0KCSRJcExp
c3RDbnR7JElQfSsrOyANCglpZiAoICRJcExpc3RDbnR7JElQfSA9PSAxICkN
Cgl7DQoJCWAvc2Jpbi9pcGZ3YWRtIC1JIC1pIGRlbnkgLVMgJElQLzMyIC1E
IDAuMC4wLjAvMGA7DQoJCXByaW50ZigiJG5vd190aW1lICRJUCBpcyB1c2lu
ZyBQcm94eSBIdW50ZXIhIVxuIik7Ow0KCX0NCgllbHNlDQoJew0KCQlpZiAo
ICRJcExpc3RDbnR7JElQfSA9PSAzMDApDQoJCXsNCgkJCWAvc2Jpbi9pcGZ3
YWRtIC1JIC1kIGRlbnkgLVMgJElQLzMyIC1EIDAuMC4wLjAvMGA7DQoJCQkk
bm93X3RpbWU9bG9jYWx0aW1lOw0KCQkJcHJpbnRmKCIkbm93X3RpbWUgRGVs
ZXRlICRJUCBcbiIpOw0KCQkJZGVsZXRlICggJElwTGlzdENudHskSVB9KTsN
CgkJCQ0KCQl9DQoJfQ0KfQ0KDQolSVB0YWI9e307DQpjbG9zZShtYXNxKTsN
CnNsZWVwIDI7DQoNCn0gI3doaWxlDQoNCg0KY2xvc2UoTE9HKTsNCmV4aXQo
MCk7DQoNCnN1YiBhZGRyX2luZXQoKQ0Kew0KICAgICAgICBteSgkZGlnaXAp
ID0gQF87DQogICAgICAgIG15KCRoMSkgPSAkZGlnaXAvKDIgKiogMjQpOw0K
ICAgICAgICBteSgkaDIpID0gKCRkaWdpcCAlICAyICoqIDI0KS8oMiAqKiAx
Nik7DQogICAgICAgIG15KCRoMykgPSAoJGRpZ2lwICUgMiAqKiAxNikgLygy
ICoqIDgpOw0KICAgICAgICBteSgkaDQpID0gJGRpZ2lwICUgMjU2Ow0KDQog
ICAgICAgIHNwcmludGYoIiVkLiVkLiVkLiVkIiwgJGgxLCAkaDIsICRoMywg
JGg0KTsNCg0KfSAgICAgICAgICAgICAgICAgICANCg0KDQo=
--1992972354-1714422613-920968958=:18162--

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Martin Mares: "Re: PATCH [dj2] feature-list"
Previous message: Thierry Danis: "Re: NFS client performance 1.5 orders of magnitude too slow?"