|
Hi there, I have a firewall capable of handling
more than 30,000 connections. Normally the connection number is around 3,000.
But sometimes it got maxed out. And I can’t tell what cost it. So I put
in the Linux with iptables to debug it. The Linux box
is doing NAT. Let’s assume that a lan PC source address and port is
1.1.1.1:1000 and the destination address and port is 100.100.100.100:80. And
the lan address for the
Linux box is 2.2.2.2 and WAN address is 90.90.90.90. I noticed that about 40% of the entries in
my ip_conntrack table look like this: Tcp SYN src=1.1.1.1 dst=100.100.100.100
sport=1000 dport=80 [UNREPLIED] Src=100.100.100.100 dst=90.90.90.90 sport=80 dport=1000 What concerned me is the portion “dst=90.90.90.90”.
Isn’t it supposed to be “1.1.1.1”? O.W., how could the
connection be completed? If this is an attack or virus, what kind
of attack is it? Any suggestion to stop it? Thanks. George Hong |
