Surviving Digg?

eliott eliott at
Tue May 6 21:27:00 MSD 2008

On 5/5/08, Grzegorz Nosek <grzegorz.nosek at> wrote:
> On Mon, May 05, 2008 at 07:39:56PM -0700, Neil Sheth wrote:
>  > Thanks, going through this.  To be honest, not something I know much
>  > about., but learning.
>  >
>  > Iptables with conntrack?  Looking here:
>  >
>  >
>  > I do have entries in my iptables with params like --state NEW . . .
> Disabling conntrack is especially useful when you want your router to
>  survive a DDoS :)
>  If you have conntrack enabled (state, conn*, helper and probably many
>  other matches; also _anything_ in the nat table), every connection eats
>  a few bytes of precious (on 32-bit) kernel low memory. The amount of
>  memory used is limited but after it is reached, new connections are
>  dropped.
>  If you only use --state NEW, for TCP the match '-p tcp --syn' should be
>  equivalent.

Not only that, but if you don't specifically disable connection
tracking, things over the loopback get dumped into the state table by
default. Ugh!

More information about the nginx mailing list