LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

[lvs-users] secure_tcp and other LVS defenses not working against SYN fl

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: [lvs-users] secure_tcp and other LVS defenses not working against SYN flood
From: Khosrow Ebrahimpour <khosrow.ebrahimpour@xxxxxxxx>
Date: Mon, 19 Dec 2011 10:37:43 -0500
Hi list,

I am in the process of testing LVS defenses against SYN floods and found that 
despite configuring the recommended sysctl variables, my LVS is still 
susceptible to a SYN flood using hping3.

On my lvs I have the following configured:

net.ipv4.vs.drop_entry = 1
net.ipv4.vs.drop_packet = 1
net.ipv4.vs.secure_tcp = 1
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 10

I generate the attack using:

hping3 -p 80 --flood -S --rand-source test-web1

Almost immediately, the LVS system becomes unresponsive and I can see the 
connection tables /proc/net/ip_vs_conn and /proc/net/ip_vs_conn_sync filling up 
while neither of the net.ipv4.vs.* have been changed to 2.

In addition, the realservers (test-fe01, test-fe02, test-fe03) are reporting 
the SYN flood correctly, and have activated syncookies:

Dec 19 15:34:00 test-fe01 kernel: [6310993.998126] possible SYN flooding on 
port 80. Sending cookies.

Can anyone comment on what my issue is? Is it a configuration issue?

Thanks,
--
Khosrow

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread] Current Thread [Next in Thread>
  • [lvs-users] secure_tcp and other LVS defenses not working against SYN flood, Khosrow Ebrahimpour <=