Hello Netfilter,
Today I wanted to do some LAN tests with two machines, where i would use
one to syn flood the other.
Iam using a firewall with conntrack enabled. I noticed that while I made
the attack (50k pps @ 15mbitsfrom random IPs) I immediately saw the
conntrack max count reach 65535 which is my max value. Packets
immediately started being lost almost in full.
Questions:
a.) Shouldnt syn cookies (which is enabled) deal with the syn flood
without compromising my state table?
b.) Why if my state table is full am I not getting any table full error
message in dmesg or syslog? I tried setting max conntrack to something
lower (10,000)and even maxed out it didnt give any warning. In fact i
had to set it to 100 and only at that time I got the conntrack error
full message??
c.) I tried disabling iptables all together (thus no conntrack)and I
still saw 100% packetloss , iam sure iamnot hitting a cpu or link limit
because previously i hit a 100k pps 50mbits, and now iam doing half that
for testing and still using syncookies. Why would i still be lossing
packets?
Thanks for the help!
Alex
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
