Too many connections on the same IP
rob0 at gmx.co.uk
Wed Mar 4 13:56:47 UTC 2015
On Wed, Mar 04, 2015 at 09:47:59AM +0100,
Stefan.Lasche at t-systems.com wrote:
> Are you using iptables Firewall?
> Does the problem only occur on UDP connections to the problematic
> IP? Or also on TCP connections to the same IP?
> I had similar problems (not with bind) when the connection table of
> iptables "state" module were too small. Iptables started dropping
> packets, because it couldn't keep track of new connections.
The ISC Knowledge Base has an article about this:
> Since UDP is by definition stateless, the "state" module tries
> to invent some sort of connection status, based on source- and
> destination ports.
Linux connection tracking is protocol-agnostic, but yes, aspects of
the protocol (such as source and destination ports if applicable) are
considered in defining a what is considered a "connection".
> This sometimes makes trouble. Especially when there are lots of
> concurrent connections and the same UDP-ports show up over and over
> again (e.g. when DNS-Clients do not use Source Port Randomization).
The trouble comes if/when the table is too small to account for many
random ports. Each "connection" is only two packets: a query coming
in, and a reply going out.
> You could try to remove the state module (-m state --state NEW)
> from your UDP firewall rule for BIND and see if that helps.
It probably would not, because each query/reply is still seen as a
"connection" to the kernel. A more sophisticated and effective
approach is as described in the article above, using the "raw" table
and "-j CT --notrack".
> I believe there are separate state tables for each network
> interface. This could explain, why your second IP is still
There is a single conntrack table for the system, and all entries
therein are based on packet header information: source and
destination IP address (and ports if applicable.)
We really don't have enough information in this thread to be able to
answer the OP's questions.
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
More information about the bind-users