Presentation is loading. Please wait.

Presentation is loading. Please wait.

Discussion subject: The missing conntrack garbage collector Netfilter Workshop 2011 d.23/ by Jesper Dangaard Brouer Master of Computer Science ComX.

Published byChad Gray Modified over 8 years ago

Similar presentations

Presentation on theme: "Discussion subject: The missing conntrack garbage collector Netfilter Workshop 2011 d.23/ by Jesper Dangaard Brouer Master of Computer Science ComX."— Presentation transcript:

1 Discussion subject: The missing conntrack garbage collector Netfilter Workshop 2011 d.23/8-2011 by Jesper Dangaard Brouer Master of Computer Science ComX Networks A/S

2 2 /6 Discussion: Handling running out-of conntrack entries What is the problem? ● Easy Denial of Service attack on servers ● Fixed max number of connection tracking entries – If > max, simply drop of new connections ● Kernel syslog: – "nf_conntrack: table full, dropping packet" ● Default max size: Too low – Machine with 12GB memory, kernel 3.0.2: – nf_conntrack version 0.5.0 (16384 buckets, 65536 max) – Entry size 304 bytes * 65536 =~ 20 Mbytes

3 3 /6 Discussion: Handling running out-of conntrack entries Extra problems ● Hash size problem – Only increasing max conntrack → ● perf problems, list search in hash ● Hash size read only: – /proc/sys/net/netfilter/nf_conntrack_buckets ● Changing nf_conntrack hash size: – /sys/module/nf_conntrack/parameters/hashsize – Or when loading the module nf_conntrack

4 4 /6 Discussion: Handling running out-of conntrack entries Mitigation ● Manually adjusting timeouts (/proc/sys/net/netfilter/) – nf_conntrack_generic_timeout – nf_conntrack_udp_timeout – nf_conntrack_udp_timeout_stream – nf_conntrack_icmp_timeout – nf_conntrack_tcp_timeout_close – nf_conntrack_tcp_timeout_close_wait – nf_conntrack_tcp_timeout_established – nf_conntrack_tcp_timeout_fin_wait – nf_conntrack_tcp_timeout_last_ack – nf_conntrack_tcp_timeout_max_retrans – nf_conntrack_tcp_timeout_syn_recv – nf_conntrack_tcp_timeout_syn_sent – nf_conntrack_tcp_timeout_time_wait – nf_conntrack_tcp_timeout_unacknowledged

5 5 /6 Discussion: Handling running out-of conntrack entries Discussion ● Howto solve this? – I don't have the solution, please help out! ● Code: calls early_drop() when max – Only kills not assured conns (=no two way traffic) – Sanjay own version of early_drop() ● Adjusting timeouts dynamic? – Problem: full scan of list, to update timeout ● What is the “good” strategy under DoS attack?

6 6 /6 Discussion: Handling running out-of conntrack entries The End ● Anybody interested in working on this?

7 7 /6 Discussion: Handling running out-of conntrack entries Who am I ● Name: Jesper Dangaard Brouer – Edu: Computer Science for Uni. Copenhagen ● Focus on Network, Dist. sys and OS – Linux user since 1996, professional since 1998 ● Sysadm, Kernel Developer, Embedded – OpenSource projects, author of – ADSL-optimizer – CPAN IPTables::libiptc – IPTV-Analyzer ● Patches accepted into – Linux kernel, iproute2, iptables, libpcap and Wireshark

Download ppt "Discussion subject: The missing conntrack garbage collector Netfilter Workshop 2011 d.23/ by Jesper Dangaard Brouer Master of Computer Science ComX."

Similar presentations

TDPS Wireless v1.8.1900. Enhancements E1 - Multi load E2 - Driver time scheduler.

TDPS Wireless v Enhancements E1 - Multi load E2 - Driver time scheduler.
Research Notes Tool Chuck Connell, Tufts Univ.. Tufts University Computer Science22 Two Research Problems References… Many types – books, articles, web.

Research Notes Tool Chuck Connell, Tufts Univ.. Tufts University Computer Science22 Two Research Problems References… Many types – books, articles, web.
Genesis: from raw hardware to processes System booting sequence: how does a machine come into life.

Genesis: from raw hardware to processes System booting sequence: how does a machine come into life.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.

Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.
CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.

CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.
Computer Networks Transport Layer. Topics F Introduction  F Connection Issues F TCP.

Computer Networks Transport Layer. Topics F Introduction  F Connection Issues F TCP.
7/14/2015EECS 584, Fall 20111 MapReduce: Simplied Data Processing on Large Clusters Yunxing Dai, Huan Feng.

7/14/2015EECS 584, Fall MapReduce: Simplied Data Processing on Large Clusters Yunxing Dai, Huan Feng.
K.U.Leuven. K.U.LEUVEN – ICTI Netwerken BCrouter: Overview How did it start... Main features Authentication Quota & Bandwidth Examples of user.

K.U.Leuven. K.U.LEUVEN – ICTI Netwerken BCrouter: Overview How did it start... Main features Authentication Quota & Bandwidth Examples of user.
Fundamentals of Networking Discovery 1, Chapter 2 Operating Systems.

Fundamentals of Networking Discovery 1, Chapter 2 Operating Systems.
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.

NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.

CIS 450 – Network Security Chapter 16 – Covering the Tracks.
Physical Database Design & Performance. Optimizing for Query Performance For DBs with high retrieval traffic as compared to maintenance traffic, optimizing.

Physical Database Design & Performance. Optimizing for Query Performance For DBs with high retrieval traffic as compared to maintenance traffic, optimizing.
Windows Security. Security Windows 2000/XP Professional security oriented Authentication Authorization Internet Connection Firewall.

Windows Security. Security Windows 2000/XP Professional security oriented Authentication Authorization Internet Connection Firewall.
8.4 paging Paging is a memory-management scheme that permits the physical address space of a process to be non-contiguous. The basic method for implementation.

8.4 paging Paging is a memory-management scheme that permits the physical address space of a process to be non-contiguous. The basic method for implementation.
Security at NCAR David Mitchell February 20th, 2007.

Security at NCAR David Mitchell February 20th, 2007.
DiFMon Distributed Flow Monitor Dario Salvi Consorzio Interuniversitario Nazionale per l’Informatica (CINI) Naples, Italy.

DiFMon Distributed Flow Monitor Dario Salvi Consorzio Interuniversitario Nazionale per l’Informatica (CINI) Naples, Italy.
Heavy and lightweight dynamic network services: challenges and experiments for designing intelligent solutions in evolvable next generation networks Laurent.

Heavy and lightweight dynamic network services: challenges and experiments for designing intelligent solutions in evolvable next generation networks Laurent.
AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.

AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.

Similar presentations

Ads by Google