ip_conntrack table full

Posted on Oct 31, 2006 in Uncategorized

Since I had some spare time, I checked the Mora dormitory network again, and I’ve found this:

Some remarks:

• There is one or more infected machines on the network: see the high amount of SYN_SENT connections. I suppose it was a single machine being turned off between 23:00 and 7:30.
• Another suspicious thing: the high amount of TIME_WAIT connections. The timeout is 120 secs, that is the average 714 means almost 6 connections are closed each second. Given that it is now summer and only a few machines are in the dormitory, this is an obvious irregularity (nice expression 😉
• The number of ESTABLISHED connections is also high.

My conclusions: there is an infected machine, and there is a large amount of file sharing there. You don’t have to be Sherlock Holmes to find it out in a dormitory. I also think some applications just drop the connection, since the number of the ESTABLISHED entries does not correspond to the active connections shown for example by iptraf. Grrr…

So I decreased the timeout for SYN_SENT (from 120s to 60s), TIME_WAIT (also 120s to 60s) and ESTABLISHED (from 432000s/5days to 43200/12hrs).

By the way, I already have found ideas, how to tweak the router settings such that the network won’t be flooded (up to unsuability):

• The Ultimate Traffic Conditioner: Low Latency, Fast Up & Downloads
• Netfilter extensions: iplimit patch

By the way, perhaps I should test Zabbix to replace Munin. There are debian packages of it. Althouh only the MySQL backend, and not the PostgreSQL. Why??? That was one (the) blocker for me to try Cacti, but fortunately Zabbix can use PostgreSQL as well.