DDOS ATTACK ON CONNTRACK TABLE OVERFLOW
DOI:
https://doi.org/10.31891/2307-5732-2025-347-20Keywords:
DDoS attack, Conntrack table, denial of service, packet filtering, NAT, TCP connections, network security, Linux, rate limiting, SYN cookiesAbstract
The article addresses the issue of DDoS attacks, which represent one of the most severe threats to the stable operation of network services. Particular attention is given to attacks on the Conntrack table overflow, a key component of the Linux kernel responsible for tracking the state of network connections. The overflow of the Conntrack table can result in a denial of service, blocking legitimate traffic.
The primary goal of the study is to analyze the mechanisms of Conntrack operation and identify effective approaches to protection against attacks. The article examines methods such as rate limiting, increasing the size of the Conntrack table, and using SYN cookies. Rate limiting helps reduce the load on the system, increasing the table size allows for handling more connections, and SYN cookies minimize the impact of incomplete connections.
The article also explores the TCP connection scheme and the specifics of their tracking using Conntrack. The dynamics of SYN Flood and TCP RST/FIN Flood attacks, which target Conntrack table overload with fake or short-lived connections, are analyzed. Examples of configurations using nftables for effective attack prevention are provided.
The practical recommendations in the article focus on optimizing system parameters to reduce vulnerability to attacks. It details how to properly configure the size of the Conntrack table via kernel parameters and how to enable the SYN cookies mechanism. It also highlights the possibility of disabling Conntrack table tracking for HTTP/HTTPS connections to improve performance.
The conclusions emphasize the importance of a comprehensive approach to protection, including rate limiting, packet filtering, increasing system resources, and applying adaptive strategies. Directions for further research are proposed, including the implementation of machine learning for automated traffic analysis and adaptive filtering.
Thus, the article serves as a valuable resource for network security specialists working to address the issue of DDoS attacks at the Conntrack level. The conclusions and recommendations presented in the article contribute to enhancing system resilience and ensuring the stable operation of network services, even under high load conditions.
Downloads
Published
Issue
Section
License
Copyright (c) 2025 ІГОР КРЕМІНЬ, СЕРГІЙ КРЕМІНЬ, ОЛЕКСАНДР МІНДЗЯ (Автор)
This work is licensed under a Creative Commons Attribution 4.0 International License.
