Solved

10Gbps uplink tunning

Posted on 2014-11-09
5
31 Views
Last Modified: 2016-02-15
Hello

I have few dedicated Servers got ddos attack under 2 Gbps size

All Dedicated Servers running in this scenario

Centos 6
Kvm ( Windows VM have the services that got attacked )
nginx on port 80 reversed to IIS on VM
my services that got attacked running on windows VM under the KVM and i'm redirect the traffic using NATing rules


Voice = 192.168.1.10 1999
public = 37.59.27.171 1985

iptables -t nat -A PREROUTING -p tcp -d 37.59.27.171 --dport 1985 -j DNAT --to-destination 192.168.1.10:1999
iptables -A FORWARD -p tcp -d 192.168.1.10 --dport 1999 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp -m tcp -s 192.168.1.10 --sport 1999 -j SNAT --to-source 37.59.17.170

i'm doing that to use the 10Gbps uplink for dedicated server to pervent attack and it's working

now i got some errors like "nf_conntrack table full" and users got DC

i googled the error and find too many options

what's the best for tuning 10Gbps up-link

and is there's any way to redirect the traffic from port to local IP like nating ?

Thank You.
0
Comment
Question by:benzeko
  • 2
5 Comments
 
LVL 61

Accepted Solution

by:
gheist earned 500 total points
ID: 40432224
sysctl net.netfilter.nf_conntrack_max
say multiply 8x:
sysctl net.netfilter.nf_conntrack_max=524288 >> /etc/sysctl.conf

You have extra bottleneck with iptables.
It keeps connection state where default stack saves much of memory with syncookies (do you see dmesg about that?)
0
 

Author Comment

by:benzeko
ID: 40432255
bottleneck with iptables

is that mean if i use the VM IP insert of using NATing with iptables will be more effective in DDos ?

Thank You.
0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 500 total points
ID: 40432459
Past system socket resources and SYN queue (later is optimized by syncookies), iptables use another state table which has to be extended.
Effectively DoS hits resource shortage in iptables. Once you get over that you need to watch sockets and SYN queues.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now