Welcome to the Linux Foundation Forum!

Spoofed UDP attack on conntracker

Using this tool https://github.com/Akupintarbanget/Brute/blob/main/brute.py#L70
attackers can send thousands of spoofed UDP packets with unique fake source IP address on each packet.
This way conntracker starts filling up. And doesn't matter how much it's filled it using plenty of CPU. Having 4 NIC queues and each of their CPU being used at 100% legit packet drop appears.

Config:
/sys/module/nf_conntrack/parameters/hashsize = 12098048
sysctl net.netfilter.nf_conntrack_max = 12098048

Comments

  • benas
    benas Posts: 4
    edited February 2023

    For anyone wondering I need UDP traffic and also UDP traffic is going through conntracker because docker uses iptables with conntracker module (more information https://github.com/moby/moby/issues/44877)

  • benas
    benas Posts: 4

    Type:
    Bare Metal
    O/S version:
    Ubuntu, 22.04 (Jammy Jellyfish)
    Architecture:
    x86_64
    Kernel:
    5.15.0-25-generic
    CPU:
    5.083 GHz (32 Cores)

  • benas
    benas Posts: 4
    edited February 2023

    I also believe that there might be a small chance that connections lookup isn't using that much of cpu.
    But connections table resizing might take a lot of CPU power?

Categories

Upcoming Training