LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   tripping firewall rate limit, false positive? (http://www.linuxquestions.org/questions/linux-networking-3/tripping-firewall-rate-limit-false-positive-670435/)

scattered 09-17-2008 02:39 AM

tripping firewall rate limit, false positive?
 
Hi there,

I've set up a rate-limiting firewall option with iptables 1.4.1.1 and ipt_recent, today some Ip out there got themselves into 'jail' after a strange looking sequence downloading a single web page. They got about 80% of the page images when they started sending ACK FIN packets which were tossed by the firewall as invalid, then these events triggered the rate limiter (60 new packets in a minute) and they were placed into a ban list where everything is dropped, after about 20 packets they go quiet.

This is okay from my point of view except I wonder why the sequence went from normal request stream to ACK FINs?

To give an idea of the sifference in traffic, here's three different IPs download the same web page, the small number is packet count, the large number SRC port:

Okay, one by one item download:
1 55360
1 55361
1 55362
1 55363
1 55364
1 55365
1 55366
1 55367
1 55368
1 55369
1 55370
1 55371
1 55372
1 55373
Okay, four streams of items:
1 2175
1 2176
1 2177
1 2178
Bad, some sort of download accelerator? Huh?:
8 49263
8 49420
7 52728
9 53523
7 53702
7 53920
8 55719
8 57784
7 59417
7 59714
7 62784
8 65129

Anyone recognise this type of access pattern?
Thanks.

scattered 09-19-2008 04:23 AM

Added this config item for sadly sicko windoze boxen:

# bugfix? for INVALID packets appearing to break valid connections,
# "be liberal in what you accept" :)
echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal

Much better!


All times are GMT -5. The time now is 06:51 AM.