[RndTbl] latest kernel rate limits icmp to different hosts?

Theodore Baschak theodore at ciscodude.net
Thu Dec 1 14:06:30 CST 2016


> On Dec 1, 2016, at 2:01 AM, Trevor Cordes <trevor at tecnopolis.ca> wrote:
> 
> On 2016-11-29 Theodore Baschak wrote:
>> I'm running 4.8.{8,9,10} kernel on a couple systems, however its on
>> Debian, and its not stock -- I've compiled packages for my
>> infrastructure based on the coldkernel patchset we maintain.
>> https://github.com/coldhakca/coldkernel
>> 
>> I'd be willing to test out something if need be.
> 
> Thanks a ton!  I'm attaching as simplified a test prog I made that
> shows the bug.  Sorry it's such a mess, I just C&P as little code as I
> could to trigger the bug.  (My code is heavily based on a sample from
> perl monks, so credit to where it's due.)  The code simply creates 253
> icmp echo packets and sends them out to the LAN as fast as it can.  The
> sample ignores the responses, as they aren't required to repro the bug.
> 
> Change the $subnet at the top to be any of your local LAN /24 subnets.
> I guess you could test a /16, might work as-is.  Have no idea about
> ipv6.
> 
> On 4.8.8 or newer, as it is it should die with error most runs (but not
> all!).  (I've confirmed on 4.8.8 and 4.8.10 now.)
> 
> CURIOUS!!!:  If you uncomment the $single= at the top and put in any
> single IP on your subnet, the bug disappears!!  So the bug only hits
> when you are scanning a large number of IPs and not a single IP!  Even
> though in both cases it's sending the same number of icmp packets out!
> BIZARRE!  This might rule out iptables, because AFAIK there's no rule
> to match "variability of hosts".
> 
> I confirmed this bug does not exist in 4.7.10 (on the same box, all
> else equal).
> 
> I found a bunch of icmp and net tweaks in sysfs that possibly could
> relate, and tweaked all of them to (near-)unlimited, but it didn't help
> at all.  I checked and their defaults were the same as they are on
> 4.7.10.
> 
> Strange, my test is pretty much like:
> nmap -sP 192.168.101.0/24
> Yet nmap runs perfectly fine.  Unless it catches these errors and
> retries/ratelimits?
> 
> It's like something new in the kernel is trying to ping flood host
> scans?  I'm still digging around in changelogs trying to figure it out.
> 
> If you (or anyone with 4.8.8+) can confirm the bug hits with $single
> off, and doesn't hit with $single on, that would be great!  Also,
> letting me know your iptables setup would help as I still haven't ruled
> that out.
> 
> Thanks a ton!
> <ping-test>


Just ran this on a physical system at home with the following kernel:
Linux hypnotoad 4.8.10-coldkernel-grsec-1 #1 SMP Tue Nov 22 19:05:17 CST 2016 x86_64 GNU/Linux

I'm not running any iptables rules on this system at all, and I was able to run the test on a sample /24 without error.
Then I modified the source to ping my entire internal /19, with the same result.

No errors on my end tho :-(

Similarly, with the nmap -PE command on a /24 or even a whole /19 I didn't get any send errors.


Theodore Baschak - AS395089 - Hextet Systems
https://ciscodude.net/ - https://hextet.systems/
http://mbix.ca/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://muug.ca/pipermail/roundtable/attachments/20161201/3ba47477/attachment.html>


More information about the Roundtable mailing list