Solved

10Gbps uplink tunning

Posted on 2014-11-09
5
28 Views
Last Modified: 2016-02-15
Hello

I have few dedicated Servers got ddos attack under 2 Gbps size

All Dedicated Servers running in this scenario

Centos 6
Kvm ( Windows VM have the services that got attacked )
nginx on port 80 reversed to IIS on VM
my services that got attacked running on windows VM under the KVM and i'm redirect the traffic using NATing rules


Voice = 192.168.1.10 1999
public = 37.59.27.171 1985

iptables -t nat -A PREROUTING -p tcp -d 37.59.27.171 --dport 1985 -j DNAT --to-destination 192.168.1.10:1999
iptables -A FORWARD -p tcp -d 192.168.1.10 --dport 1999 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp -m tcp -s 192.168.1.10 --sport 1999 -j SNAT --to-source 37.59.17.170

i'm doing that to use the 10Gbps uplink for dedicated server to pervent attack and it's working

now i got some errors like "nf_conntrack table full" and users got DC

i googled the error and find too many options

what's the best for tuning 10Gbps up-link

and is there's any way to redirect the traffic from port to local IP like nating ?

Thank You.
0
Comment
Question by:benzeko
  • 2
5 Comments
 
LVL 61

Accepted Solution

by:
gheist earned 500 total points
ID: 40432224
sysctl net.netfilter.nf_conntrack_max
say multiply 8x:
sysctl net.netfilter.nf_conntrack_max=524288 >> /etc/sysctl.conf

You have extra bottleneck with iptables.
It keeps connection state where default stack saves much of memory with syncookies (do you see dmesg about that?)
0
 

Author Comment

by:benzeko
ID: 40432255
bottleneck with iptables

is that mean if i use the VM IP insert of using NATing with iptables will be more effective in DDos ?

Thank You.
0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 500 total points
ID: 40432459
Past system socket resources and SYN queue (later is optimized by syncookies), iptables use another state table which has to be extended.
Effectively DoS hits resource shortage in iptables. Once you get over that you need to watch sockets and SYN queues.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now