A Connection Storm Caught in the Act

Discussion in 'Tomato Firmware' started by Planiwa, Sep 12, 2009.

  1. Planiwa

    Planiwa Network Guru Member

  2. Toastman

    Toastman Super Moderator Staff Member Member

    Nicely illustrated !
  3. Toastman

    Toastman Super Moderator Staff Member Member

    Can you see if there is anything wrong with this script? It used to work, but nowadays, I don't believe it is doing anything.

    #Limit UDP opens from all users to 4 per second
    iptables -A FORWARD -p UDP -s -m limit --limit 4/s -j ACCEPT
  4. ntest7

    ntest7 Network Guru Member

    I think you have to follow this with
    iptables -A FORWARD -p UDP -s -j DROP

    ie. the first rule accepts 4 per second, the second rule throws away anything else.

    Although 4/s sounds pretty low to me; loading a single web page could easily create more than 4 DNS requests if the client is using an external DNS server.
  5. Toastman

    Toastman Super Moderator Staff Member Member

    Thanks! I'll try that. I found this script on the forum a long time ago, there was only one line. It did appear to work for a while, but perhaps I was mistaken.

    You'll probably see from this and some other threads, that we're currently trying to get to the bottom of why routers reboot, stall, or behave unpredictably on occasions. The evidence seems to be pointing at connection storms. This script could help, hopefully.

    Understood about the web pages, very true ! But 4 per second might be OK for the majority, while slowing down the ones you mention they will still work. Once it is proven that the script is working, I'll play around with the number.

    I'll post the result here if it works!
  6. Toastman

    Toastman Super Moderator Staff Member Member

    Nope, large jump in a few seconds from 3 to 458 when I switch on uTorrent with DHT... Now reached 1500+ in a minute. I guess it isn't right yet?
  7. i1135t

    i1135t Network Guru Member

    Have you tried inserting them into the top of the chain using -I vs -A? There may be a rule in your chain that allows all UDP packets before the drop rules and therefore never reach it towards the end of the chain.
  8. Toastman

    Toastman Super Moderator Staff Member Member

    Will try it... thanks. I am at present actually suspecting that the rule is working, but that most of the 1000 odd UDP DNS connections that show in conntrack total - but not in the groups below, are not being counted at all, as they terminate at the router. Therefore, they do not seem to get timed out by the conntrack settings at all.

    Unfortunately I am not a programmer and it is exceedingly difficult for me to figure out what is going on!

    EDIT: A quick trial seems to show this is working, I have not managed to get the total count anywhere above about 450, approx the number shown in all of the conntrack groups. DNS queries seem to be limited. More later ....
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice