Mailinglist Archive: opensuse-security (334 mails)

< Previous Next >
DOS problem with SuSE 8.1 kernel 2.4.19- (neighbour table overflow)
  • From: Philipp Rusch <Philipp.Rusch@xxxxxxxxxxxx>
  • Date: Tue, 16 Sep 2003 10:17:14 +0200
  • Message-id: <3F66C70A.CD70ABF2@xxxxxxxxxxxx>
Hello all,

Sorry for the long post, but I really have a no idea anymore ...

I'm still having problems with "neighbour table overflows" when
we use iptables 1.2.7a and kernel 2.4.19 form SuSE 8.1 original distro.
The PC is working as firewall/proxy between a LAN (10.104.0.0/16),
an intranet (10.101.0.0 - 10.107.0.0/16) and the internet, which we
can only acces through cascaded proxies at 149.206.x.y.
I thought last week that we solved it, when our cisco found "incomplete"
TCP connections and we switched network cards, but the problem keeps
coming back.
We even switched the complete machine in the meantime.
Today we have the situation as follows:
One of the other participants in the intranet got the blaster worm in their net,
they are still struggling with this. So we get bombed with tons of connections
on port 135 from their destination, when the worm(s) scan our net.
This fills our arp table / ip connection table with some 17.000-20.000(!)
connections in "half open" state, the kernel then throws thousnads of messages
like "Neighbour table overflow" and "neighbour table flood" at high rates.
When memory is filled, the network services on this box simply stop working.
I would call this a classical DOS attack, but what can I do against it ?
I already drop all relevant packets from that source, I would have thought
that the iptables / kernel code could manage this traffic (sitting behind a 2 MBit
link with a PIII-500 / 256 MB RAM)

Here is what I do against the most common "attacks"

# NETBIOS
#
run_iptables -A common -p udp --dport 137:139 -j reject
run_iptables -A common -p udp --dport 445 -j reject
run_iptables -A common -p tcp --dport 139 -j reject
run_iptables -A common -p tcp --dport 445 -j reject
run_iptables -A common -p tcp --dport 135 -j reject
############################################################################
# UPnP
#
run_iptables -A common -p udp --dport 1900 -j DROP
############################################################################
# BROADCASTS
#
run_iptables -A common -d 255.255.255.255 -j DROP
run_iptables -A common -d 224.0.0.0/4 -j DROP
############################################################################
# AUTH -- Silently reject it so that connections don't get delayed.
#
run_iptables -A common -p tcp --dport 113 -j reject
############################################################################
# DNS -- Silenty drop late replies
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP




Any helping tip is welcome, Philipp




< Previous Next >