{"id":11,"date":"2006-10-31T22:52:05","date_gmt":"2006-10-31T22:52:05","guid":{"rendered":"http:\/\/robert.vanyi.org\/?p=11"},"modified":"2006-10-31T22:52:05","modified_gmt":"2006-10-31T22:52:05","slug":"11","status":"publish","type":"post","link":"https:\/\/robert.vanyi.org\/en\/archives\/11","title":{"rendered":"ip_conntrack table full"},"content":{"rendered":"<p>Since I had some spare time, I checked the Mora dormitory network again, and I&#8217;ve found this:<br \/>\n<img decoding=\"async\" src=\"http:\/\/www.mora.u-szeged.hu\/~robi\/rhln\/files\/ip_conntrack-day_2006-08-03.png\" alt=\"tracked IP connections - daily graph\" \/><\/p>\n<p>Some remarks:<\/p>\n<ul>\n<li>There is one or more infected machines on the network: see the high amount of SYN_SENT connections. I suppose it was a single machine being turned off between 23:00 and 7:30.<\/li>\n<li>Another suspicious thing: the high amount of TIME_WAIT connections. The timeout is 120 secs, that is the average 714 means almost 6 connections are closed each second. Given that it is now summer and only a few machines are in the dormitory, this is an obvious irregularity (nice expression \ud83d\ude09<\/li>\n<li>The number of ESTABLISHED connections is also high.<\/li>\n<\/ul>\n<p><!--break--><br \/>\nMy conclusions: there is an infected machine, and there is a large amount of file sharing there. You don&#8217;t have to be Sherlock Holmes to find it out in a dormitory. I also think some applications just drop the connection, since the number of  the ESTABLISHED entries does not correspond to the active connections shown for example by iptraf. Grrr&#8230;<\/p>\n<p>So I decreased the timeout for SYN_SENT (from 120s to 60s), TIME_WAIT (also 120s to 60s) and ESTABLISHED (from 432000s\/5days to 43200\/12hrs).<\/p>\n<p>By the way, I already have found ideas, how to tweak the router settings such that the network won&#8217;t be flooded (up to unsuability):<\/p>\n<ul>\n<li><a href=\"http:\/\/lartc.org\/howto\/lartc.cookbook.ultimate-tc.html\">The Ultimate Traffic Conditioner: Low Latency, Fast Up &#038; Downloads<\/a>\n<li><a href=\"http:\/\/www.netfilter.org\/documentation\/HOWTO\/netfilter-extensions-HOWTO-3.html#ss3.5\">Netfilter extensions: iplimit patch<\/a>\n<\/ul>\n<p>By the way, perhaps I should test <a href=\"http:\/\/www.zabbix.org\/\">Zabbix<\/a> to replace <a href=\"http:\/\/munin.projects.linpro.no\/\">Munin<\/a>. There are debian packages of it. Althouh only the MySQL backend, and not the PostgreSQL. Why??? That was one (the) blocker for me to try <a href=\"http:\/\/www.cacti.net\/\">Cacti<\/a>, but fortunately Zabbix can use PostgreSQL as well.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Since I had some spare time, I checked the Mora dormitory network again, and I&#8217;ve found this: Some remarks: There is one or more infected machines on the network: see the high amount of SYN_SENT connections. I suppose it was a single machine being turned off between 23:00 and 7:30. Another suspicious thing: the high &hellip; <a href=\"https:\/\/robert.vanyi.org\/en\/archives\/11\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">ip_conntrack table full<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-11","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/robert.vanyi.org\/en\/wp-json\/wp\/v2\/posts\/11","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/robert.vanyi.org\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/robert.vanyi.org\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/robert.vanyi.org\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/robert.vanyi.org\/en\/wp-json\/wp\/v2\/comments?post=11"}],"version-history":[{"count":0,"href":"https:\/\/robert.vanyi.org\/en\/wp-json\/wp\/v2\/posts\/11\/revisions"}],"wp:attachment":[{"href":"https:\/\/robert.vanyi.org\/en\/wp-json\/wp\/v2\/media?parent=11"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/robert.vanyi.org\/en\/wp-json\/wp\/v2\/categories?post=11"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/robert.vanyi.org\/en\/wp-json\/wp\/v2\/tags?post=11"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}