[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] ip conntrack table full

To: jim burns <jim_burn@xxxxxxxxxxxxx>
From: "Fajar A. Nugraha" <fajar@xxxxxxxxx>
Date: Mon, 25 Jan 2010 17:24:59 +0700
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 25 Jan 2010 02:25:35 -0800
List-id: Xen user discussion <xen-users.lists.xensource.com>

On Mon, Jan 25, 2010 at 5:08 PM, jim burns <jim_burn@xxxxxxxxxxxxx> wrote:
> This whole conntrack design strikes me as a serious bug that can lead to DOS
> attacks, even assuming that the counter is 32 bits. And I'm not comfortable
> with dom0 "snooping"/recording traffic on domu, isolation wise. (Yeah, I know,
> anybody can run tcpdump or wireshark on bridged traffic, but this is all being
> recorded. At least it's not world readable.)

That depends on your design.
On my system, dom0 does bridging. It doesn't filter (nor track) domU's
connections. Thus I don't have to worry about DOS in this case.

It's only normal that DOS attacks to domU can bring down the firewall
as well. So if you're worry about this you shouldn't use dom0 as
firewall.

-- 
Fajar

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

References:
- Re: [Xen-users] ip conntrack table full
  - From: jim burns

Prev by Date: [Xen-users] Re: ip conntrack table full
Next by Date: [Xen-users] Downloading ISO
Previous by thread: Re: [Xen-users] ip conntrack table full
Next by thread: [Xen-users] Xen-3.4.2 64 Bit
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.