Hello,

Recently, I've been having trouble with rampaging connections taking up my ip_conntrack_max on my router, which connects ~250 pc's to the internet. The problem seems to be coming from users with computers infected by blaster, sasser, etc. Although the ports used by these worms are blocked by iptables, they still generate new connections in /proc/net/ip_conntrack .

The problem is that I can't physically disconnect such users, because their boxes generate packets with false ip adresses that match the MAC adresses of their factual owners. If I disconnect such a user by zeroing him out in /etc/ethers, the legitimate user loses access to the net, while the computer with the worm stays at large.

Any ideas about what to do?

thanks
arthur

hello...

i don't understand your question very well...

are you asking how to prevent the worms on your lan from connecting to the external network??

Why don't you try to clean up the source of the problem. That would be installing anti-virus software, spyware removal, and doing windows updates on all the computers.

ummm... WHAT?? you just blew my mind there for a second...

=)


no, but seriously, maybe you could you elaborate a little on this... i can't be the only one that doesn't fully comprehend your issue...

sorry, you're right, I wasn't too clear on the issue :-)

The thing is, I can't get rid of the problem at the source, because I don't own the computers on the LAN, I am merely the ISP. The computers belong to the users, and I can't really go about installing spybot adaware, etc. on all of them (about ~250), as this would involve barging into hundreds of apartments.

The other issue is that I can't pinpoint which computers are scanning the network, because all the packets come with false IP addresses and false MAC addresses. Both of these usually match the IP and MAC of perfectly innocent users on my LAN. What I do on my router is I have a file called /etc/ethers, where I enter each IP on my network alongside its correct MAC address. Then I run That way, only computers with correct IP/MAC pairs will get their packets routed.

Now, when I need to disconnect a user, I substitute his MAC for the number "0" in /etc/ethers. I cannot do so with users who are pumping blaster or sasser, since this would only disconnect innocent users and the villians would still be sending packets.

I wouldn't mind their sending packets, (they're dropped by my firewall anyway) if it weren't for the fact that this fills up my /proc/net/ip_conntrack . After a while, I get the error message:

This starts slowly, but after a couple of hours or days, the connections generated by the trojans take precendence, and the router starts dropping packets from legitimate users.

Hence my question:

a) is there any way that I can pinpoint who is generating the packets? (the IP and MAC are false, so no luck there)

or if that is not possible

b) is there any way that I can keep the bogus connections generated by the worms from filling up my ip_conntrack? (eg. by having the kernel clear the ip_conntrack once in a while without having to restart the router?)

thanks, hope it's clear this time :-)

arthur

you can check the current size of your ip_conntrack table with:

you can increase it with:

Yes, thank you,

but the problem is that the ip_conntrack_max is already maxed out at 65535.

And that is unfortunately only a temporary solution, because raising the limit just buys you time before the new connections fill it up again.

But I have found the following solution, although I do not yet know if it works:

This will (hopefully) flush ip_conntrack after 6h instead of 5 days.

I have also found that the following code will drop packets before they get registered by ip_conntrack :

that one being for blaster, but easily modifiable for other worms. (only works with patch-o-matic)

Thanks for your suggestions.

Arthur