10Gbps uplink tunning

Hello

I have few dedicated Servers got ddos attack under 2 Gbps size

All Dedicated Servers running in this scenario

Centos 6
Kvm ( Windows VM have the services that got attacked )
nginx on port 80 reversed to IIS on VM
my services that got attacked running on windows VM under the KVM and i'm redirect the traffic using NATing rules


Voice = 192.168.1.10 1999
public = 37.59.27.171 1985

iptables -t nat -A PREROUTING -p tcp -d 37.59.27.171 --dport 1985 -j DNAT --to-destination 192.168.1.10:1999
iptables -A FORWARD -p tcp -d 192.168.1.10 --dport 1999 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp -m tcp -s 192.168.1.10 --sport 1999 -j SNAT --to-source 37.59.17.170

i'm doing that to use the 10Gbps uplink for dedicated server to pervent attack and it's working

now i got some errors like "nf_conntrack table full" and users got DC

i googled the error and find too many options

what's the best for tuning 10Gbps up-link

and is there's any way to redirect the traffic from port to local IP like nating ?

Thank You.
benzekoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gheistCommented:
sysctl net.netfilter.nf_conntrack_max
say multiply 8x:
sysctl net.netfilter.nf_conntrack_max=524288 >> /etc/sysctl.conf

You have extra bottleneck with iptables.
It keeps connection state where default stack saves much of memory with syncookies (do you see dmesg about that?)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
benzekoAuthor Commented:
bottleneck with iptables

is that mean if i use the VM IP insert of using NATing with iptables will be more effective in DDos ?

Thank You.
0
gheistCommented:
Past system socket resources and SYN queue (later is optimized by syncookies), iptables use another state table which has to be extended.
Effectively DoS hits resource shortage in iptables. Once you get over that you need to watch sockets and SYN queues.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Management

From novice to tech pro — start learning today.