[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] K12OSN a bit OT - how to deal witha DOS attack

Julius Szelagiewicz wrote:
Julius Szelagiewicz wrote:
Dear Folks, and especially Terrell :-)
	I've experienced a nasty DOS attack last Friday. I am using a
SonicWall Pro as a firewall (because I have some VPNs that my partners
unwilling to change). The firewall stops responding when the table
controlling open connections gets full. All the PCs and terminals live
behind LTSP server, the internet traffic is proxied to a Squid box on
Comcast, the default goes through the Sonicwall.

When you say, "the table controlling open connections" does that refer to /proc/net/ip_connections?
You might try increasing the kernel runtime param ip_conntrack_max. i.e.
#echo 64000 > /proc/sys/net/ipv4/ip_conntrack_max.

The default value is chosen based on the amount of RAM in the system, and for a busy firewall with filesharing apps behind it opening hundreds of connections each, it can get overrun.

First, don't jump to conclusions about this being an attack - it is
fairly easy to create a routing loop with VPN's and NAT that blow things
up unintentionally.  Try a quick wireshark capture, then do
statistics/endpoints, click the tcp tab and look at the list sorted by
tx packets (the default, I think).  Another thing that can blow up nat
tables is a client program that does frequent retries to an unresponsive
server - you'll see connection attempts that keep using different source
port numbers. Someone might have misconfigured an email client to
connect every few seconds or something like that.

Les, I grant you your points, but ...
32000 connections in 25 seconds, disconnecting all the windoze crap cures
the problem ...
I see it as an attack in the sense that I have an undiscovered virus or
Time to learn wireshark.
Thank you, julius

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]