* ip_conntrack entry: possible potential virus cost connection full
@ 2004-04-22 7:30 George Hong
0 siblings, 0 replies; only message in thread
From: George Hong @ 2004-04-22 7:30 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 938 bytes --]
Hi there,
I have a firewall capable of handling more than 30,000 connections.
Normally the connection number is around 3,000. But sometimes it got
maxed out. And I can't tell what cost it. So I put in the Linux with
iptables to debug it. The Linux box is doing NAT.
Let's assume that a lan PC source address and port is 1.1.1.1:1000 and
the destination address and port is 100.100.100.100:80. And the lan
address for the Linux box is 2.2.2.2 and WAN address is 90.90.90.90.
I noticed that about 40% of the entries in my ip_conntrack table look
like this:
Tcp SYN src=1.1.1.1 dst=100.100.100.100 sport=1000 dport=80 [UNREPLIED]
Src=100.100.100.100 dst=90.90.90.90 sport=80 dport=1000
What concerned me is the portion "dst=90.90.90.90". Isn't it supposed
to be "1.1.1.1"? O.W., how could the connection be completed?
If this is an attack or virus, what kind of attack is it? Any
suggestion to stop it?
Thanks.
George Hong
[-- Attachment #2: Type: text/html, Size: 7638 bytes --]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2004-04-22 7:30 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-04-22 7:30 ip_conntrack entry: possible potential virus cost connection full George Hong
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.