[RndTbl] latest kernel rate limits icmp to different hosts?
Theodore Baschak
theodore at ciscodude.net
Thu Dec 1 14:06:30 CST 2016
> On Dec 1, 2016, at 2:01 AM, Trevor Cordes <trevor at tecnopolis.ca> wrote:
>
> On 2016-11-29 Theodore Baschak wrote:
>> I'm running 4.8.{8,9,10} kernel on a couple systems, however its on
>> Debian, and its not stock -- I've compiled packages for my
>> infrastructure based on the coldkernel patchset we maintain.
>> https://github.com/coldhakca/coldkernel
>>
>> I'd be willing to test out something if need be.
>
> Thanks a ton! I'm attaching as simplified a test prog I made that
> shows the bug. Sorry it's such a mess, I just C&P as little code as I
> could to trigger the bug. (My code is heavily based on a sample from
> perl monks, so credit to where it's due.) The code simply creates 253
> icmp echo packets and sends them out to the LAN as fast as it can. The
> sample ignores the responses, as they aren't required to repro the bug.
>
> Change the $subnet at the top to be any of your local LAN /24 subnets.
> I guess you could test a /16, might work as-is. Have no idea about
> ipv6.
>
> On 4.8.8 or newer, as it is it should die with error most runs (but not
> all!). (I've confirmed on 4.8.8 and 4.8.10 now.)
>
> CURIOUS!!!: If you uncomment the $single= at the top and put in any
> single IP on your subnet, the bug disappears!! So the bug only hits
> when you are scanning a large number of IPs and not a single IP! Even
> though in both cases it's sending the same number of icmp packets out!
> BIZARRE! This might rule out iptables, because AFAIK there's no rule
> to match "variability of hosts".
>
> I confirmed this bug does not exist in 4.7.10 (on the same box, all
> else equal).
>
> I found a bunch of icmp and net tweaks in sysfs that possibly could
> relate, and tweaked all of them to (near-)unlimited, but it didn't help
> at all. I checked and their defaults were the same as they are on
> 4.7.10.
>
> Strange, my test is pretty much like:
> nmap -sP 192.168.101.0/24
> Yet nmap runs perfectly fine. Unless it catches these errors and
> retries/ratelimits?
>
> It's like something new in the kernel is trying to ping flood host
> scans? I'm still digging around in changelogs trying to figure it out.
>
> If you (or anyone with 4.8.8+) can confirm the bug hits with $single
> off, and doesn't hit with $single on, that would be great! Also,
> letting me know your iptables setup would help as I still haven't ruled
> that out.
>
> Thanks a ton!
> <ping-test>
Just ran this on a physical system at home with the following kernel:
Linux hypnotoad 4.8.10-coldkernel-grsec-1 #1 SMP Tue Nov 22 19:05:17 CST 2016 x86_64 GNU/Linux
I'm not running any iptables rules on this system at all, and I was able to run the test on a sample /24 without error.
Then I modified the source to ping my entire internal /19, with the same result.
No errors on my end tho :-(
Similarly, with the nmap -PE command on a /24 or even a whole /19 I didn't get any send errors.
Theodore Baschak - AS395089 - Hextet Systems
https://ciscodude.net/ - https://hextet.systems/
http://mbix.ca/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://muug.ca/pipermail/roundtable/attachments/20161201/3ba47477/attachment.html>
More information about the Roundtable
mailing list