Discussion subject: The missing conntrack garbage collector Netfilter Workshop 2011 d.23/ by Jesper Dangaard Brouer Master of Computer Science ComX.

Slides:



Advertisements
Similar presentations
TDPS Wireless v Enhancements E1 - Multi load E2 - Driver time scheduler.
Advertisements

Research Notes Tool Chuck Connell, Tufts Univ.. Tufts University Computer Science22 Two Research Problems References… Many types – books, articles, web.
Genesis: from raw hardware to processes System booting sequence: how does a machine come into life.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.
CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.
Computer Networks Transport Layer. Topics F Introduction  F Connection Issues F TCP.
7/14/2015EECS 584, Fall MapReduce: Simplied Data Processing on Large Clusters Yunxing Dai, Huan Feng.
K.U.Leuven. K.U.LEUVEN – ICTI Netwerken BCrouter: Overview How did it start... Main features Authentication Quota & Bandwidth Examples of user.
Fundamentals of Networking Discovery 1, Chapter 2 Operating Systems.
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
Physical Database Design & Performance. Optimizing for Query Performance For DBs with high retrieval traffic as compared to maintenance traffic, optimizing.
Windows Security. Security Windows 2000/XP Professional security oriented Authentication Authorization Internet Connection Firewall.
8.4 paging Paging is a memory-management scheme that permits the physical address space of a process to be non-contiguous. The basic method for implementation.
Security at NCAR David Mitchell February 20th, 2007.
DiFMon Distributed Flow Monitor Dario Salvi Consorzio Interuniversitario Nazionale per l’Informatica (CINI) Naples, Italy.
Heavy and lightweight dynamic network services: challenges and experiments for designing intelligent solutions in evolvable next generation networks Laurent.
AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.
The Implementation of 6TALK Yong-Geun Hong The 1 st GLOBAL IPv6 Summit in AP
Virtual Memory Virtual Memory is created to solve difficult memory management problems Data fragmentation in physical memory: Reuses blocks of memory.
File Systems Security File Systems Implementation.
1 Linux Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise.
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
Module 13: Monitoring Resources and Performance. Overview Using Task Manager to Monitor System Performance Using Performance and Maintenance Tools to.
CCNA1 v3 Module 1 v3 CCNA 1 Module 1 JEOPARDY K. Martin.
LINUX® Netfilter The Linux Firewall Engine. Overview LINUX® Netfilter is a firewall engine built into the Linux kernel Sometimes called “iptables” for.

Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat d.11/ The IPTV-Analyzer OpenSourceDays 2012.
Challenges and experiences with IPTV from a network point of view Challenges and experiences with IPTV from a network point of view by Jesper Dangaard.

10Gbit/s Bi-Directional Routing on standard hardware running Linux 10Gbit/s Bi-Directional Routing on standard hardware running Linux by Jesper Dangaard.
Status from the IPTV probe project Status from the IPTV probe project Bifrost Workshop 2010 d.27/ ComX Networks A/S by Jesper Dangaard Brouer Master.
Open Source IPTV-Analyzer Based on Netfilter Formerly known as mp2t or mpeg2ts Netfilter Workshop 2011 d.22/ by Jesper Dangaard Brouer Master of.
Netfilter: Making large iptables rulesets scale Netfilter: Making large iptables rulesets scale by Jesper Dangaard Brouer Master of Computer Science ComX.
Challenges and experiences with IPTV from a network point of view 7.th Netfilter Workshop 18.th to 21.th October 2010 ComX Networks A/S by Jesper Dangaard.
INFSO-RI Enabling Grids for E-sciencE Workshop WLCG Security for Grid Sites Louis Poncet System Engineer SA3 - OSCT.
Perl iptables interface CPAN IPTables::libiptc Netfilter Workshop 2011 d.24/ by Jesper Dangaard Brouer Master of Computer Science ComX Networks A/S.
Status from Martin Josefsson Hardware level performance of Status from Martin Josefsson Hardware level performance of by Jesper Dangaard Brouer.
April, 2010Oren Laadan, Columbia University 1 Network Migration in Linux Oren Laadan
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
Managing and Directing Network Traffic with Linux
Netfilter: Making large iptables rulesets scale Netfilter: Making large iptables rulesets scale by Jesper Dangaard Brouer Master of Computer Science ComX.
Ingress bandwidth shaping vs. Netfilter
Lecture 11 Virtual Memory
Jonathan Walpole Computer Science Portland State University
Seamless Guest OS's and more!
Memory COMPUTER ARCHITECTURE
Securing services in a unix-based environment
Modifying libiptc: Making large iptables rulesets scale
Virtual Memory User memory model so far:
Securing services in a unix-based environment
143A: Principles of Operating Systems Lecture 6: Address translation (Paging) Anton Burtsev October, 2017.
Operating System Structure

Report from Netconf 2009 Jesper Dangaard Brouer
Nessus Vulnerability Scanning
Practical Rootkit Detection with RAI
Mumtaz Ali Rajput +92 – INFORMATION SECURITY – WEEK 5 Mumtaz Ali Rajput +92 – 301-
Intro. To Operating Systems
Dynamic Process Allocation in Apache Server
ColdFusion Performance Troubleshooting and Tuning
SECURITY IN THE LINUX OPERATING SYSTEM
Lecture 3: Main Memory.
Implementing an OpenFlow Switch on the NetFPGA platform
Reverse engineering through full system simulations
Computer Science The 6 Programming Steps.
What is an operating system An operating system is the most important software that runs on a computer. It manages the computer's memory and processes,
Presentation transcript:

Discussion subject: The missing conntrack garbage collector Netfilter Workshop 2011 d.23/ by Jesper Dangaard Brouer Master of Computer Science ComX Networks A/S

2 /6 Discussion: Handling running out-of conntrack entries What is the problem? ● Easy Denial of Service attack on servers ● Fixed max number of connection tracking entries – If > max, simply drop of new connections ● Kernel syslog: – "nf_conntrack: table full, dropping packet" ● Default max size: Too low – Machine with 12GB memory, kernel 3.0.2: – nf_conntrack version (16384 buckets, max) – Entry size 304 bytes * =~ 20 Mbytes

3 /6 Discussion: Handling running out-of conntrack entries Extra problems ● Hash size problem – Only increasing max conntrack → ● perf problems, list search in hash ● Hash size read only: – /proc/sys/net/netfilter/nf_conntrack_buckets ● Changing nf_conntrack hash size: – /sys/module/nf_conntrack/parameters/hashsize – Or when loading the module nf_conntrack

4 /6 Discussion: Handling running out-of conntrack entries Mitigation ● Manually adjusting timeouts (/proc/sys/net/netfilter/) – nf_conntrack_generic_timeout – nf_conntrack_udp_timeout – nf_conntrack_udp_timeout_stream – nf_conntrack_icmp_timeout – nf_conntrack_tcp_timeout_close – nf_conntrack_tcp_timeout_close_wait – nf_conntrack_tcp_timeout_established – nf_conntrack_tcp_timeout_fin_wait – nf_conntrack_tcp_timeout_last_ack – nf_conntrack_tcp_timeout_max_retrans – nf_conntrack_tcp_timeout_syn_recv – nf_conntrack_tcp_timeout_syn_sent – nf_conntrack_tcp_timeout_time_wait – nf_conntrack_tcp_timeout_unacknowledged

5 /6 Discussion: Handling running out-of conntrack entries Discussion ● Howto solve this? – I don't have the solution, please help out! ● Code: calls early_drop() when max – Only kills not assured conns (=no two way traffic) – Sanjay own version of early_drop() ● Adjusting timeouts dynamic? – Problem: full scan of list, to update timeout ● What is the “good” strategy under DoS attack?

6 /6 Discussion: Handling running out-of conntrack entries The End ● Anybody interested in working on this?

7 /6 Discussion: Handling running out-of conntrack entries Who am I ● Name: Jesper Dangaard Brouer – Edu: Computer Science for Uni. Copenhagen ● Focus on Network, Dist. sys and OS – Linux user since 1996, professional since 1998 ● Sysadm, Kernel Developer, Embedded – OpenSource projects, author of – ADSL-optimizer – CPAN IPTables::libiptc – IPTV-Analyzer ● Patches accepted into – Linux kernel, iproute2, iptables, libpcap and Wireshark

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.