Too many connections on the same IP

/dev/rob0 rob0 at
Wed Mar 4 13:56:47 UTC 2015

On Wed, Mar 04, 2015 at 09:47:59AM +0100,
   Stefan.Lasche at wrote:
> Are you using iptables Firewall?
> Does the problem only occur on UDP connections to the problematic 
> IP? Or also on TCP connections to the same IP?
> I had similar problems (not with bind) when the connection table of 
> iptables "state" module were too small. Iptables started dropping 
> packets, because it couldn't keep track of new connections.

The ISC Knowledge Base has an article about this:

> Since UDP is by definition stateless, the "state" module tries
> to invent some sort of connection status, based on source- and 
> destination ports.

Linux connection tracking is protocol-agnostic, but yes, aspects of 
the protocol (such as source and destination ports if applicable) are 
considered in defining a what is considered a "connection".

> This sometimes makes trouble. Especially when there are lots of 
> concurrent connections and the same UDP-ports show up over and over 
> again (e.g. when DNS-Clients do not use Source Port Randomization).

The trouble comes if/when the table is too small to account for many
random ports.  Each "connection" is only two packets: a query coming 
in, and a reply going out.

> You could try to remove the state module (-m state --state NEW) 
> from your UDP firewall rule for BIND and see if that helps.

It probably would not, because each query/reply is still seen as a 
"connection" to the kernel.  A more sophisticated and effective 
approach is as described in the article above, using the "raw" table 
and "-j CT --notrack".

> I believe there are separate state tables for each network 
> interface. This could explain, why your second IP is still 
> responding.

There is a single conntrack table for the system, and all entries 
therein are based on packet header information: source and 
destination IP address (and ports if applicable.)

We really don't have enough information in this thread to be able to 
answer the OP's questions.
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

More information about the bind-users mailing list