Solved

10Gbps uplink tunning

Posted on 2014-11-09
5
36 Views
Last Modified: 2016-02-15
Hello

I have few dedicated Servers got ddos attack under 2 Gbps size

All Dedicated Servers running in this scenario

Centos 6
Kvm ( Windows VM have the services that got attacked )
nginx on port 80 reversed to IIS on VM
my services that got attacked running on windows VM under the KVM and i'm redirect the traffic using NATing rules


Voice = 192.168.1.10 1999
public = 37.59.27.171 1985

iptables -t nat -A PREROUTING -p tcp -d 37.59.27.171 --dport 1985 -j DNAT --to-destination 192.168.1.10:1999
iptables -A FORWARD -p tcp -d 192.168.1.10 --dport 1999 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp -m tcp -s 192.168.1.10 --sport 1999 -j SNAT --to-source 37.59.17.170

i'm doing that to use the 10Gbps uplink for dedicated server to pervent attack and it's working

now i got some errors like "nf_conntrack table full" and users got DC

i googled the error and find too many options

what's the best for tuning 10Gbps up-link

and is there's any way to redirect the traffic from port to local IP like nating ?

Thank You.
0
Comment
Question by:benzeko
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 62

Accepted Solution

by:
gheist earned 500 total points
ID: 40432224
sysctl net.netfilter.nf_conntrack_max
say multiply 8x:
sysctl net.netfilter.nf_conntrack_max=524288 >> /etc/sysctl.conf

You have extra bottleneck with iptables.
It keeps connection state where default stack saves much of memory with syncookies (do you see dmesg about that?)
0
 

Author Comment

by:benzeko
ID: 40432255
bottleneck with iptables

is that mean if i use the VM IP insert of using NATing with iptables will be more effective in DDos ?

Thank You.
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 500 total points
ID: 40432459
Past system socket resources and SYN queue (later is optimized by syncookies), iptables use another state table which has to be extended.
Effectively DoS hits resource shortage in iptables. Once you get over that you need to watch sockets and SYN queues.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
help Skype for Business keeps dropping 7 36
domain controllers numbers 4 99
md5 password 3 86
how to enable SSH in Nexus OS 1 28
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question