Hello List! I got a small (50mbits or so) application layer ddos attack against a few name servers (thousands of IPs sending lots of bogus A record requests - weird) - one of the name servers was behind a shorewall firewall. That firewall was running a 2.6.18-194.11.1.el5 kernel and shorewall-4.4.11.1-1. I noticed that the shorewall host had ksoftirqd using 100% of the CPU during the attack and was kind of slow in general as a result - I think this may have affected traffic to other hosts behind that firewall as well. Any ideas what would cause this? I was hoping to avoid this scenario in the future if possible since I plan on deploying some other name servers behind shorewall (latest stable on 2.6.32-358.0.1.el6.x86_64) as a result of this incident, but would ideally have a fix for this in place. I should probably point out that the blacklist file had around 500 entries in it - not sure that would have any effect on things.
During the attack, the kernel logged a bunch of these: ip_conntrack: table full, dropping packet - Possibly the result of connection tracking? Does netfilter even track UDP "connections"? I thought UDP was connectionless. Is the only workaround for cases like this just to have larger connection tracking values in the kernel? Does that help with the ksoftirqd CPU use? Or is it best in this case to just not have it track connection state for DNS traffic at all and just forward the packets along? How is the ideal solution for this case implemented? Any help is appreciated! Michael P.S. The attack ended up coming from a bunch of networks mostly in Taiwan - had my provider drop traffic from those networks and the problem was solved. ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
