| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 6 Mar 2008 14:51:11 +0100 (CET) From: Krzysztof Oledzki <olel@....pl> To: Denys Fedoryshchenko <denys@...p.net.lb> cc: netdev@...r.kernel.org Subject: Re: DoS by cat /proc/net/ip_conntrack ? On Thu, 6 Mar 2008, Denys Fedoryshchenko wrote: > Hi again Hi, > On loaded router > net.netfilter.nf_conntrack_count = 415633 > passing about 100-150 Mbps > network cards 3xe100, 1xe1000e > > i tried to issue command cat /proc/net/ip_conntrack |grep 'something' > > Router went dead for about 2 minutes, even i disconnect ssh session. > Ping was looks like this: > 64 bytes from dotfib (10.184.184.1): icmp_seq=15 ttl=61 time=4321 ms > 64 bytes from dotfib (10.184.184.1): icmp_seq=50 ttl=61 time=398 ms > 64 bytes from dotfib (10.184.184.1): icmp_seq=122 ttl=61 time=15.3 ms > 64 bytes from dotfib (10.184.184.1): icmp_seq=142 ttl=61 time=4452 ms > 64 bytes from dotfib (10.184.184.1): icmp_seq=180 ttl=61 time=850 ms > (system recovered) > 64 bytes from dotfib (10.184.184.1): icmp_seq=182 ttl=61 time=0.681 ms > 64 bytes from dotfib (10.184.184.1): icmp_seq=183 ttl=61 time=0.936 ms > 64 bytes from dotfib (10.184.184.1): icmp_seq=184 ttl=61 time=2.94 ms > > I dont think it is normal, and such command taking a lot of system resources > and cause whole system to hang. > > Kernel 2.6.24.2 The answer is quite simple here: don't do this. Instead use "conntrack -L" as netlink is much more effective and better designed. Best regards, Krzysztof Olędzki
Powered by blists - more mailing lists