Solved

10Gbps uplink tunning

Posted on 2014-11-09
5
39 Views
Last Modified: 2016-02-15
Hello

I have few dedicated Servers got ddos attack under 2 Gbps size

All Dedicated Servers running in this scenario

Centos 6
Kvm ( Windows VM have the services that got attacked )
nginx on port 80 reversed to IIS on VM
my services that got attacked running on windows VM under the KVM and i'm redirect the traffic using NATing rules


Voice = 192.168.1.10 1999
public = 37.59.27.171 1985

iptables -t nat -A PREROUTING -p tcp -d 37.59.27.171 --dport 1985 -j DNAT --to-destination 192.168.1.10:1999
iptables -A FORWARD -p tcp -d 192.168.1.10 --dport 1999 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp -m tcp -s 192.168.1.10 --sport 1999 -j SNAT --to-source 37.59.17.170

i'm doing that to use the 10Gbps uplink for dedicated server to pervent attack and it's working

now i got some errors like "nf_conntrack table full" and users got DC

i googled the error and find too many options

what's the best for tuning 10Gbps up-link

and is there's any way to redirect the traffic from port to local IP like nating ?

Thank You.
0
Comment
Question by:benzeko
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 62

Accepted Solution

by:
gheist earned 500 total points
ID: 40432224
sysctl net.netfilter.nf_conntrack_max
say multiply 8x:
sysctl net.netfilter.nf_conntrack_max=524288 >> /etc/sysctl.conf

You have extra bottleneck with iptables.
It keeps connection state where default stack saves much of memory with syncookies (do you see dmesg about that?)
0
 

Author Comment

by:benzeko
ID: 40432255
bottleneck with iptables

is that mean if i use the VM IP insert of using NATing with iptables will be more effective in DDos ?

Thank You.
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 500 total points
ID: 40432459
Past system socket resources and SYN queue (later is optimized by syncookies), iptables use another state table which has to be extended.
Effectively DoS hits resource shortage in iptables. Once you get over that you need to watch sockets and SYN queues.
0

Featured Post

ClickHouse in a General Analytical Workload

We have mentioned ClickHouse in some recent posts, where it showed excellent results.

In this article on Experts Exchange, we’ll look at how ClickHouse performs in a general analytical workload using the star schema benchmark test.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Resolve DNS query failed errors for Exchange
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question