LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: ip_vs_random_dropentry

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: ip_vs_random_dropentry
From: Jacob Coby <jcoby@xxxxxxxxxxxxxxx>
Date: Thu, 29 Sep 2005 10:05:08 -0400
Julian Anastasov wrote:
        Hello,

On Wed, 28 Sep 2005, Jacob Coby wrote:


I've been looking at the source code for ipvs 1.0.10 and noticed that
ip_vs_random_dropentry does not send a RESET packet to the realserver.
It is my understanding that this feature is to prevent SYN flood (and
related) attacks, but it doesn't seem like it would be effective as the
realserver will continue to SYN/ACK until it reaches tcp_synack_retries.
 You've potentially saved the director from attack, but lost the
realserver(s).


        In old days we were sending ICMP error, now it is disabled with
nat_icmp_send sysctl. Is it enabled in your setup?

No, it is set to 0.  I'm using DR; would this flag still have effect?

I only raise this issue because I've been having trouble with incomplete connections due to buggy or overloaded NAT firewalls (or some other factor that I can't trace). I'll see normal traffic and then a flood of 45+ SYN packets within 1.5 seconds. Or it'll generate a flood of EST (SYN / SYN+ACK / ACK => EST) connections without sending data. I'm thinking it's a bug (feature?) in the firewall when it gets overloaded in that it "forgets" to send RESET or FIN packets. Or it misunderstands the SYN+ACK retries from the realserver, or ... I'm out of ideas, and just want to stop it from bringing down our site.

I'll be adding --syn limits to the iptables rules on the director next week, but it still seems weird that LVS will drop a connection on the director without letting the real server know it's dead. It's very important, esp. when dealing with apache 1.3 or other server daemons that fork and can take up lots of memory (and need to close connections ASAP).



Am I missing something, or is this by design?


Regards

--
Julian Anastasov <ja@xxxxxx>
_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://www.in-addr.de/mailman/listinfo/lvs-users




--
-Jacob

<Prev in Thread] Current Thread [Next in Thread>