[K12OSN] K12OSN a bit OT - how to deal witha DOS attack
micha at arava.co.il
Wed Sep 3 13:35:02 UTC 2008
Julius Szelagiewicz wrote:
>> Julius Szelagiewicz wrote:
>>> Dear Folks, and especially Terrell :-)
>>> I've experienced a nasty DOS attack last Friday. I am using a
>>> SonicWall Pro as a firewall (because I have some VPNs that my partners
>>> unwilling to change). The firewall stops responding when the table
>>> controlling open connections gets full. All the PCs and terminals live
>>> behind LTSP server, the internet traffic is proxied to a Squid box on
>>> Comcast, the default goes through the Sonicwall.
When you say, "the table controlling open connections" does that refer
You might try increasing the kernel runtime param ip_conntrack_max. i.e.
#echo 64000 > /proc/sys/net/ipv4/ip_conntrack_max.
The default value is chosen based on the amount of RAM in the system,
and for a busy firewall with filesharing apps behind it opening hundreds
of connections each, it can get overrun.
>> First, don't jump to conclusions about this being an attack - it is
>> fairly easy to create a routing loop with VPN's and NAT that blow things
>> up unintentionally. Try a quick wireshark capture, then do
>> statistics/endpoints, click the tcp tab and look at the list sorted by
>> tx packets (the default, I think). Another thing that can blow up nat
>> tables is a client program that does frequent retries to an unresponsive
>> server - you'll see connection attempts that keep using different source
>> port numbers. Someone might have misconfigured an email client to
>> connect every few seconds or something like that.
> Les, I grant you your points, but ...
> 32000 connections in 25 seconds, disconnecting all the windoze crap cures
> the problem ...
> I see it as an attack in the sense that I have an undiscovered virus or
> Time to learn wireshark.
> Thank you, julius
More information about the K12OSN