On Fri, 8 Sep 2000, Andi Kleen wrote:
:If Linux stopped sending ACKs for out of order packets your machine would
:be pretty much unusable over lossy links (because fast retransmit would
:not work properly anymore) But that of course can be used
:to cause your machine to send at least an outgoing packet for each incoming
:packet.
Sending one outgoing packet for every incoming trash packet to an
unused (non-listening) port with a non-lossy fast link, is bad.
:You don't need the patch as I pointed out, it can be all done from user space
:using tc
:But it'll only stop a single attack, but there are lots of other attacks
:possible.
Userspace handling is good but not best for such (I repeat) "weakness".
:
:It would probably be more useful to find out why an attack kills other
:systems on your net. I guess you have a fast internet connection (near
:your ethernet speed) and you're probably using half duplex ethernet,
:correct?
:
:-Andi
:
I have an 100Mbps full duplex switched LAN connected on a 12mbps ->
on a 33Mbps -> Ten-155. When incoming flood from hundreds ip addresses
occurs (some of them spoofed while 95% of them not spoofed) hitting
unused TCP ports, my machine starts replying RSTs for every incoming
packet so fast that almost all the way to ten-155 is flooded badly.
Of course I can still communicate with machines on the same LAN, I
can still communicate (with big lag) with neibhouring LANs but that's
it, no further.
With my quick-n-dirty "dynamic firewalling" (if I could call it that way)
I put a blocking rule with ipfw for every incoming packet for some time
(about 15 minutes) and I remove it after. That seems to work but does
not seem optimal as it would be , let's say, iptables' RST handling but
with option to check if the target port is already "used". Which it would
be much faster.
--
George Athanassopoulos
http://www.real.macedonia.gr
http://www.egnatia.ee.auth.gr
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.tux.org/lkml/
