Surviving Digg?

eliott eliott at cactuswax.net
Tue May 6 21:27:00 MSD 2008


On 5/5/08, Grzegorz Nosek <grzegorz.nosek at gmail.com> wrote:
> On Mon, May 05, 2008 at 07:39:56PM -0700, Neil Sheth wrote:
>  > Thanks, going through this.  To be honest, not something I know much
>  > about., but learning.
>  >
>  > Iptables with conntrack?  Looking here:
>  > http://www.kalamazoolinux.org/presentations/20010417/conntrack.html
>  >
>  > I do have entries in my iptables with params like --state NEW . . .
>
>
> Disabling conntrack is especially useful when you want your router to
>  survive a DDoS :)
>
>  If you have conntrack enabled (state, conn*, helper and probably many
>  other matches; also _anything_ in the nat table), every connection eats
>  a few bytes of precious (on 32-bit) kernel low memory. The amount of
>  memory used is limited but after it is reached, new connections are
>  dropped.
>
>  If you only use --state NEW, for TCP the match '-p tcp --syn' should be
>  equivalent.

Not only that, but if you don't specifically disable connection
tracking, things over the loopback get dumped into the state table by
default. Ugh!

http://cactuswax.net/articles/ip_conntrack-loopback-blues/





More information about the nginx mailing list