|
Le 14/05/2013 21:04, Horst Venzke-Fa Remsnet Ltd a écrit :
> So the SNY traffik PASSED the LB servers to real AND BACK The
> real servers Over-FLOOD the LB (IPVS ) systems with traffik amounts
> they not shuold. And exacly for that the 2.6x SYNPROXY IPVS patch
> was made years ago.
I use also IPVS with NAT for some years now. So, I know the hype of SYN
flood...
But, as it is very difficult to prevent some attack like :
# hping3 --data 666 --syn --destport 80 --flood --rand-source IP_POOR_VICTIM
only with SYN cookie, I prefer use another strategy for these issue.
In some words, each IPVS director have iptables rules and act as
Stateful firewall.
The rules concerning NEW connections are limited (number need to be
tuned) by sec.
The goal is to make grow conntrack tables more slowly, combined with a
low TCP time to live :
ipvsadm --set 2 5 5
So under pressure, the ipvs server have time purge his list enough quickly.
After some tests, I add also some hand made scripts to ban by MAC address
to much hurry up clients (tail -f /var/log/kernel.log) :
iptables -A INPUT -i eth0 -p tcp -m limit --limit 15/minute -j LOG
--log-level alert --log-prefix "INPUT:DROP "
For now, it's the best way i've found to deal with this.
In fact, my best advice is to not have ennemy...
I guess that in case of massive attack (some Go/s from multiples sources),
it'll be very hard to not disturb the web service :-(
Well, I'm a poor alone cowboy with my Gentoo, and I agree,
something better should be made !
> Right , to have an Firewall ( Cluster..) in front of an Webfarm ,
> are allways an Major solution .
I'm looking for some feed back about a PfSense cluster, you're welcome ;-)
My 2cts.
--
Ivan Havlicek
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
