|
----- Original Message -----
From: "Peter Mueller" <pmueller@xxxxxxxxxxxx>
To: <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Sent: Tuesday, September 03, 2002 8:46 PM
Subject: RE: Syn floods and DOS protection
> > i have read the docs, and i saw that all the security and dos
> > protection
> > features in LVS are aimed at protecting the director. the
>
> Not necessarily. Can you be more specific where your area(s) of concern
> are?
>
My goal is to protect the w2k real servers from a syn flood attack
> > setup assumes that
> > the real servers can take care for themselvs, either by using
> > syncookies or
> > by some other means. is there a solution for real servers that do not
> > implement syncookies ? On some of my servers i am stack with
> > w2k. I know
>
> It's generally a good idea to not rely on any single security point. In
> this case it seems like LVS-NAT topology might be a good option in
addition
> to hardening your windows 2000 boxes. Google is once again your friend
> here..
>
http://www.google.com/search?sourceid=navclient&q=SYN+%22windows+2000%22+DOS
I am running 2 (active-active) directors setup what also runs iptables on
them, doing LVS-nat - works great for some time. but i know that a simple
500/sec syn flood takes down all the w2k real servers after several seconds,
even if i use the w2k syn protection - it's junk. a standard cable connected
user can generate 500syn/sec flood. using iptables rate limit will help, but
it will also block legitimate connections in the process of the attack.
i was wondering that in case of an attack i could turn off lvs and use a
reverse proxy on the director to relay the traffic to the real servers - i
know that i will loose the originating ip of the connection, but at lease
syncookies will protect the director, and the proxy will only proxy
regitimate requests. i am reluctant to try squid - i had some bad experience
with it, and i don't want a full blown proxy, i just want to proxy the
opened connections to the real servers. maybe even use xinetd redirect - but
here a i can run into memory limit on the director - xinetd will open a new
process for every new connection ... Is there some threaded proxy the will
not use too much resources ?
> > there is a syncookies firewall for kernel 2.2, but i am using 2.4 ...
>
> because of netfilter 2.4 is much better than 2.2. are you asking what the
> settings are for /proc (or sysctl.conf) to help guard against syn floods?
a
> few I use are ..
>
> [root@stage-lb2 root]# uname -a
> Linux stage-lb2.internal.smartbasket.com 2.4.19-rc1 #1 SMP Fri Jul 12
> 17:51:56 PDT 2002 i686 unknown
> [root@stage-lb2 root]# cat /proc/sys/net/ipv4/tcp_syncookies
> 1
> [root@stage-lb2 root]# cat /etc/sysctl.conf | grep syn
> net.ipv4.tcp_max_syn_backlog = 2048
> net.ipv4.tcp_syncookies = 1
I also use this for my linux based boxes, but unfortunatelly it only
protects the box itself
|
