0

I have a mail server, Debian Linux 2.4.31, which is dropping TCP connections and basically being unavailable. I have iptables running on it and its pretty much very restrictive.

When I run "netstat -tanp|wc -l" i get 366 while "cat /proc/net/ip_conntrack | wc -l" gives me 124172 because I had increased /proc/sys/net/ipv4/ip_conntrack_max since I would see "ip_conntrack: table full, dropping packet." in dmesg output, and yes I am still seeing those although I did increase the max.

I would/should enable tcp syn cookies, but for some odd reason the kernel was compiled without it so I can't go forward without recompiling it.

I just wanted to know if these symptoms describe a DDOS so I would go forward in adding tcp_syn_cookies.

Thanks.

A4A
  • 78

2 Answers2

2

The only way to truely know will be to examine the traffic coming in. Take a network capture using tcpdump from your external facing interface over a period of time.

tcpdump -s 1500 -w <filename>.pcap -i <interface>

^C it when you think that you've captured enough data. Then ideally copy the pcap file to a machine with a GUI and examine with Wireshark.

This should be able to give you a good idea of where to begin next. Chances are that you aren't dealing with a DDOS as such, but potentially a large amount of spam or port scans.

Dan Carley
  • 26,127
0

What is the state of the netstat -antp connections?

I guess you have connections somehow got stuck and the entries remain until an RST packet is sent if have a flaky network somewhere between you, and the clients accessing your server, it can cause certain packets are dropped and your table will be full.

Better to check the entries and try to figure out what is pattern for the not properly closed connections.

It might also happen because you NIC is broken some way.

Istvan
  • 2,640