anonfunc/xtables-addons
1
0
Fork 0
mirror of git://git.code.sf.net/p/xtables-addons/xtables-addons synced 2025-09-07 05:05:12 +02:00
Code Issues Releases Wiki Activity

pknock: avoid fillup of peer table during DDoS

Browse Source 
In TCP --strict mode, forget the peer which sent the wrong knock in a
sequence, rather than resetting its status to ST_INIT. This avoids
filling up the peer table (which would lead to pknock DoS) in case of
a DDoS attack performed by a set of port-scanning malicious hosts.
This commit is contained in:
Jan Rafaj
2009-10-11 00:05:17 +02:00
committed by Jan Engelhardt
parent 82a8524f1a
commit 08f6a82bdc
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
extensions/pknock/xt_pknock.c
View File

@@ -841,7 +841,7 @@ update_peer(struct peer *peer, const struct xt_pknock_mtinfo *info,
pk_debug("DIDN'T MATCH", peer);
/* Peer must start the sequence from scratch. */
if (info->option & XT_PKNOCK_STRICT)
reset_knock_status(peer);
remove_peer(peer);
return false;
}