netfilter firewall crash ip_conntrack table full

Dear all coln,

I have a problem with the nat/firewall of my office:
This is a debian testing box with netfilter
it work fine most of the time, but some time,
one of the Windows XP workstation of my office try to access to many
many ip address. This is maybe another virus or spyware on this bugy
system. but this workstation shudown our network connection.

So, my problem is not to increase the number of
/proc/sys/net/ipv4/ip_conntrack_max

my problem is to forbid a windows workstation to do some kind of DOS
on my firewall ... Because when this table is full, my firewall refuse
to do is job.

So, is there a way to automatically detect this kind of workstation on
the internal network ? and automatically cut connection for this
workstation, purge the table and send a mail to the network
administrator? is there some script for this ?.

I really need help on this stuff,
Guillaume


Here is (a part of) my kernel.log:
....
Jul 22 09:00:03 mars kernel: ip_conntrack: table full, dropping
packet.
Jul 22 09:03:16 mars kernel: ip_conntrack: table full, dropping
packet.
Jul 22 09:03:47 mars last message repeated 4 times
Jul 22 09:05:28 mars kernel: ip_conntrack: table full, dropping
packet.
Jul 22 09:05:53 mars kernel: ip_conntrack: table full, dropping
packet.
Jul 22 09:09:57 mars kernel: ip_conntrack: table full, dropping
packet.
Jul 22 09:11:31 mars kernel: ip_conntrack: table full, dropping
packet.
Jul 22 09:12:29 mars kernel: ip_conntrack: table full, dropping
packet.
Jul 22 09:13:09 mars kernel: ip_conntrack: table full, dropping
packet.
....


In my /proc/net/ip_conntrack there is many many SYNC from the same
internal ip address to many many differents external IP. On this
computer there is no kazaa/mule/game or what ever. In fact there is
nothing running on this WXP workstation (this is a spyware or a virus
or another XP SP2 Bug or ...)

"riviereg" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om

> In my /proc/net/ip_conntrack there is many many SYNC from the same
> internal ip address to many many differents external IP. On this
> computer there is no kazaa/mule/game or what ever.

You mean, nothing about which you know. You make several authoritative
statements about what is or isn't running on the XP machine, yet you provide
no evidence to support those claims.

> In fact there is
> nothing running on this WXP workstation (this is a spyware or a virus
> or another XP SP2 Bug or ...)

Use ethereal on the router, collect some packets from the XP machine and see
what it is. If "there is nothing running" on the XP machine, then simply
turn if off or wipe the disk and install Linux.


tony

--
use hotmail for email replies

"ynotssor" <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...
> "riviereg" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) om
>
> > In my /proc/net/ip_conntrack there is many many SYNC from the same
> > internal ip address to many many differents external IP. On this
> > computer there is no kazaa/mule/game or what ever.
>
> You mean, nothing about which you know. You make several authoritative
> statements about what is or isn't running on the XP machine, yet you provide
> no evidence to support those claims.

Dear Tony,
Thank you for your reply,

In fact this is a new XP SP2 workstation, I just install it. That why
I said there is "nothing" on this computer. I know that there is some
soft on this workstation who is doing something wrong with my network.

>
> > In fact there is
> > nothing running on this WXP workstation (this is a spyware or a virus
> > or another XP SP2 Bug or ...)
>
> Use ethereal on the router, collect some packets from the XP machine and see
> what it is. If "there is nothing running" on the XP machine, then simply
> turn if off or wipe the disk and install Linux.

Year, but my problem is not to find what is going on with XP SP2 on
this workstation, my problem is to forbid a workstation to crash my
linux router and my internet connection. I cannot put all the
workstation of my office on linux.
Peoples here need XP for workstation.

Of course, I stop this workstation. But, for the next time, I would
like to prevent my network from this kind of problem.


If you have some ideas for this,

Regards,
Guillaume

"riviereg" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om

>> Use ethereal on the router, collect some packets from the XP
>> machine and see what it is.
[...]
> Year, but my problem is not to find what is going on with XP SP2 on
> this workstation, my problem is to forbid a workstation to crash my
> linux router and my internet connection.
[...]
> If you have some ideas for this,

I already gave you an "idea" that will tell you what is happening that
"crashes" the router.

When you see what ports and what sites the XP machine is connecting to
(using ethereal), then you can take actions to drop packets going to those
ports/sites, as well as gain the information that will tell you what is
happening.

Or if you want a quick fix, then just drop all outbound packets from the XP
machine, and it will make no demands on ip_conntrack.


tony

--
use hotmail for email replies

On Sun, 25 Jul 2004 18:44:06 -0700, ynotssor wrote:
> "riviereg" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) om
>
>>> Use ethereal on the router, collect some packets from the XP
>>> machine and see what it is.
> [...]
>> Year, but my problem is not to find what is going on with XP SP2 on
>> this workstation, my problem is to forbid a workstation to crash my
>> linux router and my internet connection.
> [...]
>> If you have some ideas for this,
>
> I already gave you an "idea" that will tell you what is happening that
> "crashes" the router.
>
> When you see what ports and what sites the XP machine is connecting to
> (using ethereal), then you can take actions to drop packets going to those
> ports/sites, as well as gain the information that will tell you what is
> happening.

Is this a case of "XP call home"? (for registration up/download?)

> Or if you want a quick fix, then just drop all outbound packets from the XP
> machine, and it will make no demands on ip_conntrack.

That should shut it up. However, if you don't register XP, then it won't
be "enabled" and the software won't work. Catch-22 situation?

--
Juhan Leemet
Logicognosis, Inc.