Changes between Initial Version and Version 1 of jazz/12-05-29

Timestamp:

May 29, 2012, 10:19:16 AM (13 years ago)

Author:

jazz

Comment:

--

jazz/12-05-29

@@ +1 @@
+= 2012-05-29 =
+
+== hadoop.nchc.org.tw ==
+
+ * 錯誤訊息：nf_conntrack: table full, dropping packet.
+{{{
+~$ dmesg | grep 
+[1146203.787306] nf_conntrack: table full, dropping packet.
+[1146203.787880] nf_conntrack: table full, dropping packet.
+[1146203.790825] nf_conntrack: table full, dropping packet.
+[1146203.791307] nf_conntrack: table full, dropping packet.
+[1146203.791503] nf_conntrack: table full, dropping packet.
+[1146203.791818] nf_conntrack: table full, dropping packet.
+[1146203.791987] nf_conntrack: table full, dropping packet.
+[1146208.785365] nf_conntrack: table full, dropping packet.
+[1146208.785635] nf_conntrack: table full, dropping packet.
+[1146208.786510] nf_conntrack: table full, dropping packet.
+}}}
+ * [參考] [http://www.pc-freak.net/blog/resolving-nf_conntrack-table-full-dropping-packet-flood-message-in-dmesg-linux-kernel-log/ Resolving “nf_conntrack: table full, dropping packet.” flood message in dmesg Linux kernel log]
+ * [原因] 阻斷攻擊（DDoS）
+ * [解法] 修改 sysctl 增加 ip_conntrack_max 、降低 ip_conntrack_generic_timeout
+{{{
+net.ipv4.netfilter.ip_conntrack_max=16384
+net.ipv4.conf.default.arp_ignore=1
+net.ipv4.conf.all.arp_ignore=1
+net.ipv4.ip_forward=1
+net.ipv4.icmp_echo_ignore_broadcasts=1
+net.ipv4.icmp_ignore_bogus_error_responses=1
+net.ipv4.tcp_ecn=1
+net.ipv4.tcp_fin_timeout=30
+net.ipv4.tcp_keepalive_time=120
+net.ipv4.tcp_syncookies=1
+net.ipv4.tcp_timestamps=0
+net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=300
+net.ipv4.netfilter.ip_conntrack_udp_timeout=60
+net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=180
+net.ipv4.netfilter.ip_conntrack_generic_timeout = 120
+net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 54000
+}}}