From 08f6a82bdc12db7540007db2a9a84b653c6a0402 Mon Sep 17 00:00:00 2001 From: Jan Rafaj Date: Sun, 11 Oct 2009 00:05:17 +0200 Subject: [PATCH] pknock: avoid fillup of peer table during DDoS In TCP --strict mode, forget the peer which sent the wrong knock in a sequence, rather than resetting its status to ST_INIT. This avoids filling up the peer table (which would lead to pknock DoS) in case of a DDoS attack performed by a set of port-scanning malicious hosts. --- extensions/pknock/xt_pknock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/pknock/xt_pknock.c b/extensions/pknock/xt_pknock.c index cf60949..03135d1 100644 --- a/extensions/pknock/xt_pknock.c +++ b/extensions/pknock/xt_pknock.c @@ -841,7 +841,7 @@ update_peer(struct peer *peer, const struct xt_pknock_mtinfo *info, pk_debug("DIDN'T MATCH", peer); /* Peer must start the sequence from scratch. */ if (info->option & XT_PKNOCK_STRICT) - reset_knock_status(peer); + remove_peer(peer); return false; }