I am in the process of testing LVS defenses against SYN floods and found that
despite configuring the recommended sysctl variables, my LVS is still
susceptible to a SYN flood using hping3.
On my lvs I have the following configured:
net.ipv4.vs.drop_entry = 1
net.ipv4.vs.drop_packet = 1
net.ipv4.vs.secure_tcp = 1
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 10
I generate the attack using:
hping3 -p 80 --flood -S --rand-source test-web1
Almost immediately, the LVS system becomes unresponsive and I can see the
connection tables /proc/net/ip_vs_conn and /proc/net/ip_vs_conn_sync filling up
while neither of the net.ipv4.vs.* have been changed to 2.
In addition, the realservers (test-fe01, test-fe02, test-fe03) are reporting
the SYN flood correctly, and have activated syncookies:
Dec 19 15:34:00 test-fe01 kernel: [6310993.998126] possible SYN flooding on
port 80. Sending cookies.
Can anyone comment on what my issue is? Is it a configuration issue?
Please read the documentation before posting - it's available at:
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users