|
Le 14/05/2013 08:51, Horst Venzke-Fa Remsnet Ltd a écrit :
> Therefore - for IPVS security Obligations - the SNY Flood traffik should be
> stopped at the earlierst point : the IPVS systems its self.
It is a view that I do not share.
I prefer to use the solution to "limit" at the IPVS IP server and use
the SYN Cookies on the real servers.
Maybe I'm wrong, but I prefer distribute the attack on the real servers
rather than take the risk of dropping the IPVS directorhimself.
As the only way is to rewrite something which permit to do the SYNPROXY
for kernel 3.x series, perhaps you should find another way to obtain
this result. If there is a high risk of DoS in your case, perhaps
putting some equipments to manage that before the IPVS server should be
another good solution.
Best regards
--
Ivan
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
