As you can see from the title, I am at a dilemma. This might be a bit of a read, but any help would be greatly appreciated.
First off, this is all done on one of our Linux CentOS servers. Basically, after the incoming bandwidth to the server exceeds a certain amount (in packets per second), iptables will slowly give up and then render the server completely useless.
Now, you are probably thinking, ok, well simple, this is because you have too many iptable rules .. that is not correct. At around 200 - 300 iptable rules, and around 200 000 - 300 000 incoming packets per second (udp), iptable's starts giving up! Maybe its not iptables, but everything starts lagging (like ssh), and sooner or later, the server is unaccessible and barely pingable (~50% success rate).
The other reason could be logging, and I'm sure you probably thought about that too. Not correct, I made sure there are NO logging iptable rules. Makes sence though, if it was trying to log some of these packets, the server would just crash due to all the HDD work (due to the mass amount of packets).
Just also to add in, it is NOT anything to do with the router or network wise. The connection is over 1000Mbit, and is fully dedicated. I made sure of this.
So really, I am asking a variety of things.
1. What causes the lag? Is it the HDD being overused? Somehow..?
2. Is there a way to avoid this?
Any ideas or suggestions would be greatly appreciated. I am sure other people suffered this issue with the common DDoS attacks, where the issue is not due to bandwidth itself, but packets per second.
There are many ways to improve iptables but keep it mind it is a software and uses a (slow) linear algorithm. The main limit is your CPU : there will be huge differences if it's running on a 1.5Ghz DualCore or a i7-975.
- ipset (http://www.netfilter.org/projects/ipset/index.html): quite interesting for those who, like you, have a lot of rules. Whether you have 200 or 2,000+ rules it can give some impressive results. However, it depends on what kind of rules you are using and of course, you will have to patch and compile.
- conntrack : if you don't use, disable it because it eats up a lot of resources.
But it could also be the right time for you to switch to a hardware firewall.
However, even before patching/disabling anything, the very first thing I would do is simply to ask the kernel what is going on :