As unpleasant as it might be when you get an DDOS/DOS attack of high magnitude many things can go wrong. One of them which is often not seen is the filling of the ‘conntrack’ table in the kernel. The DDOS attack might stop and nevertheless the web site still not available for a while, while other IPs in the same web server are still running well. The problem can be that the ‘conntrack’ table for a particular IP has been filled-up and no more connections from outside are accepted for that IP.
Here are some tips to help finding out the conntrack status.
NOTE: We have to remember that the table doesn’t delete any old inactive connections until the table is full and new connections are being made. In this case only old inactive connections in the table will then be deleted enough to make space to the new ones. The table is therefore having 3 types of connections:
– OLD inactive connections
– Connection in the process of closing (TIME_WAIT,FIN_WAIT1,FIN_WAIT2)
– Active connections(ESTABLISHED)
The follwong tools and commands will help finding out the conntrack table status:
apt-get install iptstate
modprobe ip_conntrack
cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
Default value is 65536, you may always just double this value or triple this value when necessary.
/sbin/sysctl -w net.netfilter.nf_conntrack_max = 196608
To make it permanent after reboot, please add these values to the sysctl.conf
echo net.ipv4.netfilter.ip_conntrack_max = 196608 >> /etc/sysctl.conf
It is not recommended to put so big value if you have less than 1 gigabyte of RAM in your NAT-server. To show the current value you can use something like this:
/sbin/sysctl net.netfilter.nf_conntrack_max
See how connection tracking table is already full can be like this:
/sbin/sysctl net.netfilter.nf_conntrack_count