netfilter ip_conntrack and (d)DoS

Question

Does using netfilter.ip_conntrack in the kernel in anyway help mitigate (d)DoS attacks or does it make it worse?

I know it adds the ability to track connections and such but just curious if it helps or just makes the attacks worse by bogging down connections.

replay · Answer 1 · 2013-02-16T02:26:28.840

1

Depends on your priorities.

It will make it better in the sense of that your machine doesn't die, because once the net.ipv4.netfilter.ip_conntrack_max is reached, the machine will simply stop accepting connections instead of getting overloaded.

It will make it worse in the sense of that your machine stops accepting connections.

On most of my own high traffic servers i have simply unloaded the ip_conntrack kernel module. If you dont use its functionality for something like NAT it's not necessary to have it active.

edited Feb 16 '13 at 02:26

answered Feb 15 '13 at 16:40

replay

3,180
13
16

So if I just make that a massive huge number everything is fine and it can help mitigate an attack? – Tiffany Walker Feb 15 '13 at 17:49

score 0 · Answer 2 · answered Feb 14 '13 at 22:18

0

Nope, it'll make it worse. Filling up the ip_conntrack table is a relatively easy way to knock a server off line, and attackers know this.

answered Feb 14 '13 at 22:18

Stephan

999
7
11

So no matter how big you make the tables or numbers in sysctl it will always get backfilled? – Tiffany Walker Feb 14 '13 at 22:32

netfilter ip_conntrack and (d)DoS

2 Answers2