Surviving Digg?

Grzegorz Nosek grzegorz.nosek at
Tue May 6 10:54:51 MSD 2008

On Mon, May 05, 2008 at 07:39:56PM -0700, Neil Sheth wrote:
> Thanks, going through this.  To be honest, not something I know much
> about., but learning.
> Iptables with conntrack?  Looking here:
> I do have entries in my iptables with params like --state NEW . . .

Disabling conntrack is especially useful when you want your router to
survive a DDoS :)

If you have conntrack enabled (state, conn*, helper and probably many
other matches; also _anything_ in the nat table), every connection eats
a few bytes of precious (on 32-bit) kernel low memory. The amount of
memory used is limited but after it is reached, new connections are

If you only use --state NEW, for TCP the match '-p tcp --syn' should be

Best regards,
 Grzegorz Nosek

More information about the nginx mailing list