ipt_ACCOUNT Archives

Subject: Re: ipt_ACCOUNT ipv6 support

From: Anton Khalikov <anton@xxxxxxxxxxx>
To: ipt_ACCOUNT@xxxxxxxxxxxxxxxxxxxxxxx
Date: Fri, 23 Jan 2015 14:39:19 +0500
Hi Tomas and thanks for your answer

As far as I know conntrack counts traffic per connection so yes if we experience synflood/udpflood DDoS attack conntrack table becomes quite huge. It doesn't break, it just became slow and takes a lot of memory to hold. I can't tell the exact box properties to repeat the case because we switched to ipt_account and disabled conntrack a long time ago. At the moment our routers have 16 cpu cores and 16 gb ram per 1GE uplink and Intel NICs with interrupts correctly distributed between cores. These machines are enough to survive DDoS attacks that fit into 1GE uplink bandwidth with ipv4 only and use ipt_account as a counter. Now we want to add ipv6 support to our network and I'm unable to find a high performance ipv6 per host traffic counter yet.

So you suggest to take another look to connrack + ulog2 solution, do you?

Best regards
Anton Khalikov

ipt_ACCOUNT - see http://www.intra2net.com/en/developer/ipt_ACCOUNT for details.
To unsubscribe send a mail to ipt_ACCOUNT+unsubscribe@xxxxxxxxxxxxxxxxxxxxxxx
Current Thread