Condor john at stz-bg.com
Tue Jun 21 07:33:02 UTC 2011

Hello ppl,
do I can ask what traffic from pool is normal ? I have some times 
problems ... I think I got too much query. This problem is from long time 
and it's happened only for small amount of time. For 30 min to 1 hour and 
usual when Im not logged in to see what's happened. Here is error that i 
got from kernel:

net_ratelimit: 686 callbacks suppressed
nf_conntrack: table full, dropping packet.
nf_conntrack: table full, dropping packet.
nf_conntrack: table full, dropping packet.

I use some optimization on tcp/ip network like:

# increase TCP max buffer size setable using setsockopt()
# 16 MB with a few parallel streams is recommended for most 10G paths
# 32 MB might be needed for some very long end-to-end 10G or 40G paths
net.core.rmem_max = 16777216 
net.core.wmem_max = 16777216 
# increase default values
net.core.rmem_default = 16777216
net.core.wmem_default = 16777216
# increase Linux autotuning TCP buffer limits 
# min, default, and max number of bytes to use
# (only change the 3rd value, and make it 16 MB or more)
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
# recommended to increase this for 10G NICS
net.core.netdev_max_backlog = 10000
net.ipv6.conf.all.forwarding = 1
net.netfilter.nf_conntrack_tcp_timeout_established = 2000
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 2000

but I still have a problem. First time when I successful dump the traffic 
when it's happened I see for 14 seconds my ntp receive 3300 send/receive 
query. After a private email between me and owner project Ask Bjørn 
Hansen he decide nothing strange is happened. Today I see that situation 
again and I log 58100 send/receive query for 20 sec. Both logs can be 
download from: www.stz-bg.com/traf/

I want to ask is that normal or Im attacked? Because traffic is from UDP 
you can change query source address and this will become an attack.


