tcp timeouts and ip_conntrack - Networking

This is a discussion on tcp timeouts and ip_conntrack - Networking ; Hi, Can anyone tell me how I can lower the TCP timeout? I think its set to 5 days right now which is rediculous and my ip_conntrack is filling up due to DoS attack. I increased the ip_conntrack_max, but I ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: tcp timeouts and ip_conntrack

  1. tcp timeouts and ip_conntrack

    Hi,

    Can anyone tell me how I can lower the TCP timeout? I think its set to
    5 days right now which is rediculous and my ip_conntrack is filling up
    due to DoS attack. I increased the ip_conntrack_max, but I dont want
    to see 8000 dead connections tracked to the same ip-address for 5
    days....!
    What is a sensible value? my server is serving a few hundred clients
    behind NAT.
    It's running stock RH9 (and please don't tell me to just upgrade....
    that would be no help at all, thanks!).

    Regards,
    Tobias


  2. Re: tcp timeouts and ip_conntrack

    Hello,

    nsa.usa@gmail.com a écrit :
    >
    > Can anyone tell me how I can lower the TCP timeout? I think its set to
    > 5 days right now which is rediculous and my ip_conntrack is filling up
    > due to DoS attack.


    Check /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout*. In recent
    2.6 kernels these parameters may have moved to /proc/sys/net/netfilter/.

    > I increased the ip_conntrack_max, but I dont want
    > to see 8000 dead connections tracked to the same ip-address for 5
    > days....!


    You may also consider using the 'connlimit' match from a recent
    patch-o-matic-ng in order to limit the number of parallel TCP
    connections from a client IP address.

+ Reply to Thread