Setting the MTU when DDoS protection is active

Written by

Yandex Cloud

Updated at August 6, 2024

Setting the MTU

We recommend always setting the MTU to 1450 bytes when Yandex DDoS Protection protection is active.

Alert

If you enable DDoS Protection and leave the MTU at the default value, you may lose network traffic.

To learn more about MTU and MSS parameters in Yandex Cloud, see MTU and TCP MSS.

Setting the MTU

For a VM with Ubuntu Linux 20.04 or 22.04

Connect to the VM over SSH:
```
ssh <username>@<VM's_IP>
```

Set the MTU to 1450 using the netplan command. Run this command:

sudo netplan set ethernets.eth0.mtu=1450 && sudo netplan apply

Check the new MTU and MSS values:

ip link show eth0 | grep mtu
ss -i | grep mss

For worker nodes of a Managed Service for Kubernetes cluster

Create a DaemonSet YAML manifest with the following contents:

---
apiVersion: "apps/v1"
kind: DaemonSet
metadata:
  name: mtu-fix
  namespace: kube-system
  labels:
    k8s-app: mtu-fix
    version: 1v
spec:
  selector:
    matchLabels:
      k8s-app: mtu-fix
  template:
    metadata:
      labels:
        k8s-app: mtu-fix
    spec:
      hostPID: true
      hostNetwork: true
      containers:
      - name: mtu-fix
        image: cr.yandex/crpjfmfou6gflobbfvfv/ipfixik:0.1.0
        command:
          - bash
          - -c
          - |
            ip link set dev eth0 mtu 1450
            sleep infinity
        imagePullPolicy: Always
        securityContext:
          privileged: true
        resources:
          limits:
            memory: 200Mi
          requests:
            cpu: 100m
            memory: 200Mi
        volumeMounts:
        - mountPath: /sys/
          name: sys
        - mountPath: /proc/
          name: proc
      volumes:
      - name: sys
        hostPath:
          path: /sys/
          type: Directory
      - name: proc
        hostPath:
          path: /proc/
          type: Directory

Save it to a file with any name, e.g., ds-mtu-fix.yml.

Apply the manifest you created to the Managed Service for Kubernetes cluster:
```
kubectl -f ds-mtu-fix.yml
```
Connect to any production node within the cluster over SSH and check the MTU and MSS values.
```
ssh <username>@<production_node_IP>
ip link show eth0 | grep mtu
ss -i | grep mss
```

For a VM with Windows Server

Connect to the VM with Windows Server over RDP and launch Windows PowerShell.
Specify the name of the interface for which you want to change the MTU:
```
netsh interface ipv4 show subinterfaces
```

Set the MTU of the network interface to 1450. In our example, it is Ethernet 2:

netsh interface ipv4 set subinterface "Ethernet 2" mtu=1450 store=persistent

Make sure the MTU value has changed.

netsh interface ipv4 show subinterfaces

Setting the MTU when DDoS protection is active

Setting the MTUSetting the MTU

For a VM with Ubuntu Linux 20.04 or 22.04For a VM with Ubuntu Linux 20.04 or 22.04

For worker nodes of a Managed Service for Kubernetes clusterFor worker nodes of a Managed Service for Kubernetes cluster

For a VM with Windows ServerFor a VM with Windows Server

Was the article helpful?

Setting the MTU

For a VM with Ubuntu Linux 20.04 or 22.04

For worker nodes of a Managed Service for Kubernetes cluster

For a VM with Windows Server