Spoofed UDP attack on conntracker

benas

Using this tool https://github.com/Akupintarbanget/Brute/blob/main/brute.py#L70
attackers can send thousands of spoofed UDP packets with unique fake source IP address on each packet.
This way conntracker starts filling up. And doesn't matter how much it's filled it using plenty of CPU. Having 4 NIC queues and each of their CPU being used at 100% legit packet drop appears.

Config:
/sys/module/nf_conntrack/parameters/hashsize = 12098048
sysctl net.netfilter.nf_conntrack_max = 12098048

benas

For anyone wondering I need UDP traffic and also UDP traffic is going through conntracker because docker uses iptables with conntracker module (more information https://github.com/moby/moby/issues/44877)

benas

Type:
Bare Metal
O/S version:
Ubuntu, 22.04 (Jammy Jellyfish)
Architecture:
x86_64
Kernel:
5.15.0-25-generic
CPU:
5.083 GHz (32 Cores)

benas

I also believe that there might be a small chance that connections lookup isn't using that much of cpu.
But connections table resizing might take a lot of CPU power?