|
Julian Anastasov wrote:
>
> Hello,
>
> On Wed, 22 Nov 2000, joern maier wrote:
>
> > Hi there,
> >
> > maybe anyone of you can help me. I got some Problem protecting my VS
> > from
> > SYN - flood attacks. Somehow the drop_entry mechanism seems not to work.
> > Doing a SYN-Flood with 3 clients to my VS ( 1 director + 3 RS ) the
> > System
> > get´s unreachable. -> a single Server (one of my RS) "DoSed" by those
> > clients
> > stays alive.
>
> You can't SYN flood the director with 3 clients only. You need
> more clients. As alternative, you can download "testlvs" from the web
> site. What shows ipvsadm -Ln under attack? How you activate drop_entry?
> What shows "cat drop_entry" ?
>
I dowloaded testlvs and flooded my System with it. With two clients, my
LVS
gets to a denial of service, allthough when I´m doing "cat drop_entry"
it still
shows me a "1". ipvsadm -Ln shows me:
192.168.10.1:80 lc
192.168.1.4:80 Tunnel 1 0 33246
192.168.1.3:80 Tunnel 1 0 33244
192.168.1.2:80 Tunnel 1 0 33246
during the flooding attack the connection values stay around this size.
Using the SYN-Flood tool with which I tried it before, ivsadm shows me
this:
192.168.10.1:80 lc
192.168.1.4:80 Tunnel 1 0 356046
192.168.1.3:80 Tunnel 1 0 355981
192.168.1.2:80 Tunnel 1 0 356013
so it shows me about ten times as many connectios as your tool. I took a
look
at the packets, both are quiet similar, they only differ in the
Windowsize
(testlvs has 0, the other tool uses a size of 65534) and sequence
numbers (o.k.
checksum as well)
I am activating drop entry like this:
- I switch on my computer (director) and start linux with the LVS Kernel
- I type cd /proc/sys/net/ipv4/vs
- I type echo 1 > drop_entry
- then I run the lvs scripts rc.lvs_tun on the director
=> after this, the LVS works fine under normal conditions.
what did I miss ?
> > Set-up:
> >
> > all RS have tcp_syncookies enabled (1) the tcp_max_syn_backlog is set to
> > 128
> >
> > after booting the director is set drop_entry var to 1 (echo 1 >
> > drop_entry)
> > (I have to do this all the time I reboot the director => is the
> > drop_entry var
> > not stored somehow ?)
> > before compiling the Kernel I set the table size to 2^20 my Director has
> > 256 MB of
> > memory and no other applications are running so that should be o.k.
>
> You don't need such large table, really.
>
> > did I miss anything ?
> >
> > I'm using ip tunneling and lc scheduling if this is important
> >
> > I`m thankfull for any help I can get
> >
> > Joern
>
> Regards
>
> --
> Julian Anastasov <ja@xxxxxx>
>
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
|
