|
> What do you think about the suggestion by Lorn Kay, of doing the same
> with netfilter? It sort of becomes
> the real server's defense.
How is that related to LVS?
> Thanks
> Anush
I was wondering if this project could provide a method to dynamically update
the netfilter's ipchains/iptable based on threshold values set by user
commands.
For example, could you use all of the usual options for ACCEPT or DENY in
your firewall rules and add to one of the ACCEPT rules to dynamically set
values: "ACKs per Second" or something like this. (For the ACCEPT rule being
used to allow HTTP requests for the VIP).
That way you could say "set forward mark = 200 when ACKs per second on the
VIP exceedes my threshold value" on the Director.
If it is in ipchains only then you could add these firewall rules to DR/TUN
Real Servers as well I suppose...
Yes, not really an LVS issue, but you could then use fwmark rules to send
these DOS packets (or any other suspicious FWMARKed packets) on to an
isolated/non-production Real Server that you don't really care what happens
to.
-K
|
