|
> I am running LVS-NAT with 3 apache webservers and wlc scheduler.
ok.
> Doing "./testlvs 192.168.0.1:80 -packets 0" makes the
> director unresponsible
> after ~ 30 seconds. If I use ldirectord it removes all
> realservers after that
> time.
>
> Is this normal?
what client are you sending this flood from? what is the speed of the
director? what does show_traffic.sh indicate for the megabit/s you are
pushing through the director?
when I was doing my tests with testlvs I found it saturated the directors
pretty quickly. I think Julian wrote testlvs to try to destroy LVS as
quickly as possible. so don't be surprised if it does this; instead use it
as an opportunity to make your site more resistant from the start.
PS - since it is kind of on-topic here, what kind of DOS guards do you have
in place? A good start is :
net.ipv4.tcp_max_syn_backlog = 2048
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable always defraging protection
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable bad error message protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Enable IP spoofing protection
# disable this on IPsec gateways
net.ipv4.conf.all.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
# disable send redirects
net.ipv4.conf.all.send_redirects = 0
# Disable Source Routed Packets
net.ipv4.conf.all.accept_source_route = 0
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
# larger port range
net.ipv4.ip_local_port_range = 32768 60099
+ appropriate firewall rules.
Hope that helps
Peter
|
