[K12OSN] K12OSN a bit OT - how to deal witha DOS attack

Micha Silver micha at arava.co.il
Wed Sep 3 13:35:02 UTC 2008

Julius Szelagiewicz wrote:
>> Julius Szelagiewicz wrote:
>>> Dear Folks, and especially Terrell :-)
>>> 	I've experienced a nasty DOS attack last Friday. I am using a
>>> SonicWall Pro as a firewall (because I have some VPNs that my partners
>>> are
>>> unwilling to change). The firewall stops responding when the table
>>> controlling open connections gets full. All the PCs and terminals live
>>> behind LTSP server, the internet traffic is proxied to a Squid box on
>>> Comcast, the default goes through the Sonicwall.
When you say, "the table controlling open connections" does that refer 
to /proc/net/ip_connections?
You might try increasing the kernel runtime param ip_conntrack_max. i.e.
#echo 64000 > /proc/sys/net/ipv4/ip_conntrack_max.

The default value is chosen based on the amount of RAM in the system, 
and for a busy firewall with filesharing apps behind it opening hundreds 
of connections each, it can get overrun.

>> First, don't jump to conclusions about this being an attack - it is
>> fairly easy to create a routing loop with VPN's and NAT that blow things
>> up unintentionally.  Try a quick wireshark capture, then do
>> statistics/endpoints, click the tcp tab and look at the list sorted by
>> tx packets (the default, I think).  Another thing that can blow up nat
>> tables is a client program that does frequent retries to an unresponsive
>> server - you'll see connection attempts that keep using different source
>> port numbers. Someone might have misconfigured an email client to
>> connect every few seconds or something like that.
>> --
> Les, I grant you your points, but ...
> 32000 connections in 25 seconds, disconnecting all the windoze crap cures
> the problem ...
> I see it as an attack in the sense that I have an undiscovered virus or
> trojan.
> Time to learn wireshark.
> Thank you, julius

More information about the K12OSN mailing list