>A recent DDoS took down my linux router. It had a light iptables >ruleset and connectinos tracking enabled. It was a dual CPU Xeon with >Dual Intel Gigabit on board (using the e1000 driver.) After the >attack was under way for several minutes, the external interface was >seeing about 600,000 pps at ~350Mbit/sec. The link is 1Gb, so it Right, if you have connection tracking, that IS going to slow down the 'load' the box can cope with a LOT! You may want some kind of simpler non-contracking machine infront, that has a simpler stateless firewall configuration on it... -- Maybe 'syncookies firewall' on that machine too.... Then, the 'linux router' that actually deals with (?nat? on your network) and any such like.. doesn't have to recieve all the rubbish filling up it's connection tracking tables and taking up its' CPU time in general with netfilter etc. etc. ?? Im not sure, but.. think.. complexity of the kernel's work... Stateful firewall does lots of thinking......and hence ''slow'' dealing with daft amounts of traffic (depending what the daft traffic is). If you give me more information on what the ddos traffic actually IS, I can give you more input on how you may combat it ;-). [and, MORE INFORMATION on wat connections go out or in via this routing interface]... --S Iremonger <exxsi@bath.ac.uk> - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
