You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Patrick Bryant <jm...@pbryant.com> on 1999/12/20 09:00:03 UTC

other/5494: limitipconn.patch breaks legitimate connections arriving from behind firewalls

>Number:         5494
>Category:       other
>Synopsis:       limitipconn.patch breaks legitimate connections arriving from behind firewalls
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Dec 20 00:10:00 PST 1999
>Last-Modified:
>Originator:     jmail@pbryant.com
>Organization:
apache
>Release:        1.3
>Environment:
Patch to version 1.3. Presumably all platforms
>Description:
The patch limitipconn.patch (posted at 
http://www.apache.org/dist/contrib/patches/1.3/limitipconn.patch) denies access
to the server when several simultaneous and legitimate connections arrive
from clients located behind firewalls that employ port address translation
(also known as "hide" mode on CheckPoint firewalls). 

Though the patch apparently attempts to protect the Apache server from DoS 
attacks that open numerous sockets to swamp system resources, many firewalls 
open all connections from the same source IP address and falsely trigger the
patch's ant-DoS feature.  Legitimate users are then randomly denied access to the
server.
>How-To-Repeat:
Open numerous connections from behind a Checkpoint firewall (or PIX configured
to use PAT).  Observe that only the first few clients are able to connect to 
the target server.
>Fix:
Protect the server with a firewall capable of detecting and repelling SYN floods.
Note that most SYN flood attacks use bogus IP addresses that will never fully
set up via the 3 way handshake.

Drop the keep-alive timeout on client IPs when several simultaneous connections
arrive from the same destination IP (but don't refuse the connections altogether).

Or simpy don't use the patch ...
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <ap...@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or      ]
["Re: general/1098:").  If the subject doesn't match this       ]
[pattern, your message will be misfiled and ignored.  The       ]
["apbugs" address is not added to the Cc line of messages from  ]
[the database automatically because of the potential for mail   ]
[loops.  If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request from a  ]
[developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]