need help deciphering/preventing an iptables/ip_conntrack_tcp attack

From: OpenMacNews (nobody_at_nowhere.com)
Date: 08/27/04 

Date: Thu, 26 Aug 2004 22:27:36 -0700

hi all,

1st, I'll admit that i'm in over my head here ...

now:

i've recently started seeing new errors in my iptables log -- specifically,

        "ip_conntrack_tcp: invalid new deleting"

i understand that this error is triggered when the kernel's
TCP_CONNTRACK_MAX is exceeded.

cref: h**p://joshua.raleigh.nc.us/docs/linux-2.4.10_html/577727.html

    220 /* Invalid: delete conntrack */
    221 if (newconntrack == TCP_CONNTRACK_MAX) {
    222 DEBUGP("ip_conntrack_tcp: invalid new deleting.\n");
    223 return 0;
    224 }

on my router (a linksys WRT54GS w/ Sveasoft firmware), ip_conntrack_max
is set to 4096 (default).

staring at my logs, i've found that each instance of the aforementioned
error is immediately followed by a log entry at exactly the same
timestamp, which i assume means it's correlated:

        Aug 25 10:17:17 linksys kernel: ip_conntrack_tcp: invalid new deleting.
        Aug 25 10:17:17 linksys kernel: [fwCatch: global(11) DENY] IN=vlan1
OUT= SRC=202.66.107.187 DST=xx.xx.xx.xx LEN=44 TOS=0x00 PREC=0x20
TTL=114 ID=355 PROTO=TCP SPT=7777 DPT=38925 WINDOW=16616 RES=0x00 ACK
SYN URGP=0
        
        Aug 25 10:17:20 linksys kernel: ip_conntrack_tcp: invalid new deleting.
        Aug 25 10:17:20 linksys kernel: [fwCatch: global(11) DENY] IN=vlan1
OUT= SRC=202.66.107.187 DST=xx.xx.xx.xx LEN=44 TOS=0x00 PREC=0x20
TTL=114 ID=13190 PROTO=TCP SPT=7777 DPT=38925 WINDOW=16616 RES=0x00 ACK
SYN URGP=0
        
        Aug 25 16:05:14 linksys kernel: ip_conntrack_tcp: invalid new deleting.
        Aug 25 16:05:14 linksys kernel: [fwCatch: global(11) DENY] IN=vlan1
OUT= SRC=202.66.107.187 DST=xx.xx.xx.xx LEN=44 TOS=0x00 PREC=0x20
TTL=114 ID=62817 PROTO=TCP SPT=7777 DPT=38925 WINDOW=16616 RES=0x00 ACK
SYN URGP=0
        
        Aug 25 16:05:17 linksys kernel: ip_conntrack_tcp: invalid new deleting.
        Aug 25 16:05:17 linksys kernel: [fwCatch: global(11) DENY] IN=vlan1
OUT= SRC=202.66.107.187 DST=xx.xx.xx.xx LEN=44 TOS=0x00 PREC=0x20
TTL=114 ID=10346 PROTO=TCP SPT=7777 DPT=38925 WINDOW=16616 RES=0x00 ACK
SYN URGP=0
        
        Aug 26 02:40:38 linksys kernel: ip_conntrack_tcp: invalid new deleting.
        Aug 26 02:40:38 linksys kernel: [fwCatch: global(11) DENY] IN=vlan1
OUT= SRC=218.6.169.218 DST=xx.xx.xx.xx LEN=44 TOS=0x00 PREC=0x20
TTL=115 ID=27930 PROTO=TCP SPT=80 DPT=38925 WINDOW=16616 RES=0x00 ACK
SYN URGP=0
        
        Aug 26 09:15:39 linksys kernel: ip_conntrack_tcp: invalid new deleting.
        Aug 26 09:15:39 linksys kernel: [fwCatch: global(11) DENY] IN=vlan1
OUT= SRC=218.89.175.137 DST=xx.xx.xx.xx LEN=44 TOS=0x00 PREC=0x20
TTL=51 ID=42469 DF PROTO=TCP SPT=80 DPT=38925 WINDOW=16616 RES=0x00 ACK
SYN URGP=0
        
        Aug 26 09:15:42 linksys kernel: ip_conntrack_tcp: invalid new deleting.
        Aug 26 09:15:42 linksys kernel: [fwCatch: global(11) DENY] IN=vlan1
OUT= SRC=218.89.175.137 DST=xx.xx.xx.xx LEN=44 TOS=0x00 PREC=0x20
TTL=51 ID=18930 DF PROTO=TCP SPT=80 DPT=38925 WINDOW=16616 RES=0x00 ACK
SYN URGP=0
        
        Aug 26 13:27:44 linksys kernel: ip_conntrack_tcp: invalid new deleting.
        Aug 26 13:27:44 linksys kernel: [fwCatch: global(11) DENY] IN=vlan1
OUT= SRC=218.89.175.137 DST=xx.xx.xx.xx LEN=44 TOS=0x00 PREC=0x20
TTL=51 ID=31815 DF PROTO=TCP SPT=80 DPT=38925 WINDOW=16616 RES=0x00 ACK
SYN URGP=0
        
        Aug 26 21:31:23 linksys kernel: ip_conntrack_tcp: invalid new deleting.
        Aug 26 21:31:23 linksys kernel: [fwCatch: global(12) DENY] IN=vlan1
OUT= SRC=218.6.169.218 DST=xx.xx.xx.xx LEN=44 TOS=0x00 PREC=0x20
TTL=115 ID=36287 PROTO=TCP SPT=80 DPT=38925 WINDOW=16616 RES=0x00 ACK
SYN URGP=0
        
        Aug 26 21:31:26 linksys kernel: ip_conntrack_tcp: invalid new deleting.
        Aug 26 21:31:26 linksys kernel: [fwCatch: global(12) DENY] IN=vlan1
OUT= SRC=218.6.169.218 DST=xx.xx.xx.xx LEN=44 TOS=0x00 PREC=0x20
TTL=115 ID=37627 PROTO=TCP SPT=80 DPT=38925 WINDOW=16616 RES=0x00 ACK
SYN URGP=0

i've also noted that the log data above has some common
charactersitics. in each case,

        (1) all four of the offending SRC ip's:

                        202.66.107.187
                        218.6.169.218
                        218.89.175.137
                        218.6.169.218

                are in China (there's a whopping surprise ...)

        (2) SPT = 7777 or 80

        (3) DPT = 38925

        (4) WINDOW = 16616

these values also NEVER appear elsewhere ... only in these
error-generating instances.

this definitely 'smells' like some sort of an attack ... can someone
here verify/comment?

if it is, does anyone recognize/understand what is happening here, and
if there's any iptables firewall rule to be added to stop the
ip_conntrack_tcp error -- caused, i presume, by 'saturation' of the
state table?

help is much appreciated !

cheers,

richard

Quantcast