Too many connections on the same IP
/dev/rob0
rob0 at gmx.co.uk
Wed Mar 4 13:56:47 UTC 2015
On Wed, Mar 04, 2015 at 09:47:59AM +0100,
Stefan.Lasche at t-systems.com wrote:
> Are you using iptables Firewall?
> Does the problem only occur on UDP connections to the problematic
> IP? Or also on TCP connections to the same IP?
>
> I had similar problems (not with bind) when the connection table of
> iptables "state" module were too small. Iptables started dropping
> packets, because it couldn't keep track of new connections.
The ISC Knowledge Base has an article about this:
https://kb.isc.org/article/AA-01183
> Since UDP is by definition stateless, the "state" module tries
> to invent some sort of connection status, based on source- and
> destination ports.
Linux connection tracking is protocol-agnostic, but yes, aspects of
the protocol (such as source and destination ports if applicable) are
considered in defining a what is considered a "connection".
> This sometimes makes trouble. Especially when there are lots of
> concurrent connections and the same UDP-ports show up over and over
> again (e.g. when DNS-Clients do not use Source Port Randomization).
The trouble comes if/when the table is too small to account for many
random ports. Each "connection" is only two packets: a query coming
in, and a reply going out.
> You could try to remove the state module (-m state --state NEW)
> from your UDP firewall rule for BIND and see if that helps.
It probably would not, because each query/reply is still seen as a
"connection" to the kernel. A more sophisticated and effective
approach is as described in the article above, using the "raw" table
and "-j CT --notrack".
> I believe there are separate state tables for each network
> interface. This could explain, why your second IP is still
> responding.
There is a single conntrack table for the system, and all entries
therein are based on packet header information: source and
destination IP address (and ports if applicable.)
We really don't have enough information in this thread to be able to
answer the OP's questions.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
More information about the bind-users
mailing list