Surviving Digg?

Grzegorz Nosek grzegorz.nosek at gmail.com
Tue May 6 10:54:51 MSD 2008


On Mon, May 05, 2008 at 07:39:56PM -0700, Neil Sheth wrote:
> Thanks, going through this.  To be honest, not something I know much
> about., but learning.
> 
> Iptables with conntrack?  Looking here:
> http://www.kalamazoolinux.org/presentations/20010417/conntrack.html
> 
> I do have entries in my iptables with params like --state NEW . . .

Disabling conntrack is especially useful when you want your router to
survive a DDoS :)

If you have conntrack enabled (state, conn*, helper and probably many
other matches; also _anything_ in the nat table), every connection eats
a few bytes of precious (on 32-bit) kernel low memory. The amount of
memory used is limited but after it is reached, new connections are
dropped.

If you only use --state NEW, for TCP the match '-p tcp --syn' should be
equivalent.

Best regards,
 Grzegorz Nosek





More information about the nginx mailing list