[pve-devel] pvefw: using ctmark to associacte connections to VMs
Dietmar Maurer
dietmar at proxmox.com
Mon Mar 3 17:39:25 CET 2014
> > > Does that mean that everybody can start a DOS attack by simply
> > > open(faking) 64000 tcp connections?
> >
> > http://tools.ietf.org/html/rfc4987
> >
> > So what can we do to prevent that?
>
> Seems syncookies are off by default?
>
> # cat /proc/sys/net/ipv4/tcp_syncookies
> 0
Also found some interesting docs here:
http://people.netfilter.org/hawk/presentations/devconf2014/iptables-ddos-mitigation_JesperBrouer.pdf
According to that, one conn need 288 bytes in conntrack, so 200000 uses 57MB RAM
More information about the pve-devel
mailing list