LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] IPVS SYN-cookies -> IPVS security patch not 3.x kernels

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: [lvs-users] IPVS SYN-cookies -> IPVS security patch not 3.x kernels
From: Ivan Havlicek <ivan@xxxxxxxxxxx>
Date: Thu, 16 May 2013 01:51:33 +0200
Le 14/05/2013 21:04, Horst Venzke-Fa Remsnet Ltd a écrit :
> So the  SNY traffik PASSED the LB servers to real    AND BACK The
> real servers Over-FLOOD the LB (IPVS ) systems with traffik amounts
> they not shuold. And exacly for that the 2.6x  SYNPROXY IPVS patch
> was made years ago.

I use also IPVS with NAT for some years now. So, I know the hype of SYN
flood...

But, as it is very difficult to prevent some attack like :

# hping3 --data 666 --syn --destport 80 --flood --rand-source IP_POOR_VICTIM

only with SYN cookie, I prefer use another strategy for these issue.
In some words, each IPVS director have iptables rules and act as
Stateful firewall.
The rules concerning NEW connections are limited (number need to be
tuned) by sec.
The goal is to make grow conntrack tables more slowly, combined with a
low TCP time to live :

ipvsadm --set 2 5 5

So under pressure, the ipvs server have time purge his list enough quickly.
After some tests, I add also some hand made scripts to ban by MAC address
to much hurry up clients (tail -f /var/log/kernel.log) :

iptables -A INPUT -i eth0 -p tcp -m limit --limit 15/minute -j LOG
--log-level alert --log-prefix "INPUT:DROP "

For now, it's the best way i've found to deal with this.
In fact, my best advice is to not have ennemy...
I guess that in case of massive attack (some Go/s from multiples sources),
it'll be very hard to not disturb the web service :-(

Well, I'm a poor alone cowboy with my Gentoo, and I agree,
something better should be made !

> Right , to have an Firewall ( Cluster..)  in front of an Webfarm ,
> are allways an Major solution .

I'm looking for some feed back about a PfSense cluster, you're welcome ;-)
My 2cts.
--
                                                                      
Ivan Havlicek

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
<Prev in Thread] Current Thread [Next in Thread>