Surviving Digg?
Grzegorz Nosek
grzegorz.nosek at gmail.com
Tue May 6 10:54:51 MSD 2008
On Mon, May 05, 2008 at 07:39:56PM -0700, Neil Sheth wrote:
> Thanks, going through this. To be honest, not something I know much
> about., but learning.
>
> Iptables with conntrack? Looking here:
> http://www.kalamazoolinux.org/presentations/20010417/conntrack.html
>
> I do have entries in my iptables with params like --state NEW . . .
Disabling conntrack is especially useful when you want your router to
survive a DDoS :)
If you have conntrack enabled (state, conn*, helper and probably many
other matches; also _anything_ in the nat table), every connection eats
a few bytes of precious (on 32-bit) kernel low memory. The amount of
memory used is limited but after it is reached, new connections are
dropped.
If you only use --state NEW, for TCP the match '-p tcp --syn' should be
equivalent.
Best regards,
Grzegorz Nosek
More information about the nginx
mailing list