[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: FTP problems
From:       "Slawek" <sgp () telsatgp ! com ! pl>
Date:       2003-09-26 16:39:05
[Download RAW message or body]

Paul.Mackey@morganstanley.com wrote:

> Yes, this indeed was the culprit. Increasing the MAXACKWINDOW helped
> the problem.

I'm glad to hear that.


> Will there be more dynamic tracking of ACKs received and where one is in
> a window so that these types of scenario don't arise as window sizes
> increase?

Acks and window's size is already traced. You've got current window size in
variable called "win". But the problem is that window size could decrease
(I'm not aware of any tcp stack that does this, but it might be something
wise,
especially if during DoS it's running out of memory).

The best approach would be to trace the largest window's size so far
(per connection), but this would mean rather large changes in ipf's code.

Let's suppose the window size would not be decreased too fast.
So I think one could safely change the "if" to something like:

--- start --
#define SEQ_GE(a,b) ((int)((a) - (b)) >= 0)
#define SEQ_GT(a,b) ((int)((a) - (b)) > 0)
 if ((SEQ_GE(fdata->td_maxend, end)) &&
     (SEQ_GE(seq, fdata->td_end - maxwin)) &&
     (ackskew >= -2*win) &&
     (ackskew <= win)) {
-- end --

I haven't tested it, but I think it should work.

Eventually one could say that we should allow packets that match the
original rule _or_ our new rule. Well, it's all up to Darren ;)


By the way it should be quite simple to set a flag for the packet if during
analising it fits in current rules' definition, but is out of the window.
We could block sending RST packets which have this flag set.
This would allow one to safely create a ruleset that sends RSTs for
non-SYN packets... just an idea.


-- 
Slawek Piotrowski


[prev in list] [next in list] [prev in thread] [next in thread]