Device: 951G-2HnD (Memory: 128Mb.) (100Mb+ free while idle)
Version: 6.15 (other not tested)
Problem: router reboot
Cause: too many “connection tracker” connections
Context: stress test(curiosity). not geneal usage.
jan/01/2002 04:00:07 system,error,critical System rebooted because of kernel failure
jan/01/2002 04:00:08 system,error,critical Out of memory condition was detected
jan/01/2002 04:00:08 system,error,critical router was rebooted without proper shutdown
ip-firewall-connections-Max Entries: 220952
Since “conntrack.UDP default timeout” is 30 seconds… we can easily abuse/stress it.
Goal: create huge amount of NAT records.
Details: send many UDP packets through NAT (connection tracker ON) with different dest./src ports.
Tested with script:
Each 100ms. until port 65535:
- From 100 local UDP sockets send packet to IP to port range 50000 - 50300.
- Change port offset by +300.
(65535 - 50000) * 100 NAT records. 30000(theoretical) records per second.
Free memory => 0
“/ip firewall connection” count => 1553500 >>
Router => reboot
For me: ~40000 “firewall connections” already consume 90Mb.(no Queues enabled, no mangle rules enabled)
Empirical result:
Kernel failure. Out of memory. Router rebooted.
Desired result:
Drop packets. Don’t try to create new NAT records when no more memory.
Nodejs script: https://gist.github.com/Befzz/88019748abcef04d3301
Usage: node udp_stress.js IP_WITH_NAT
In script file: change PORT_START and SOCKETS_COUNT to be more stressfull.