Hello,
On Thu, 23 Nov 2000, joern maier wrote:
> > You can't SYN flood the director with 3 clients only. You need
> > more clients. As alternative, you can download "testlvs" from the web
> > site. What shows ipvsadm -Ln under attack? How you activate drop_entry?
> > What shows "cat drop_entry" ?
> >
>
> I dowloaded testlvs and flooded my System with it. With two clients, my
> LVS
> gets to a denial of service, allthough when I´m doing "cat drop_entry"
> it still
> shows me a "1". ipvsadm -Ln shows me:
>
> 192.168.10.1:80 lc
> 192.168.1.4:80 Tunnel 1 0 33246
> 192.168.1.3:80 Tunnel 1 0 33244
> 192.168.1.2:80 Tunnel 1 0 33246
May be you run testlvs with 100,000 source addresses.
> during the flooding attack the connection values stay around this size.
> Using the SYN-Flood tool with which I tried it before, ivsadm shows me
> this:
>
> 192.168.10.1:80 lc
> 192.168.1.4:80 Tunnel 1 0 356046
> 192.168.1.3:80 Tunnel 1 0 355981
> 192.168.1.2:80 Tunnel 1 0 356013
>
> so it shows me about ten times as many connectios as your tool. I took a
> look
> at the packets, both are quiet similar, they only differ in the
> Windowsize
> (testlvs has 0, the other tool uses a size of 65534) and sequence
> numbers (o.k.
> checksum as well)
>
> I am activating drop entry like this:
>
> - I switch on my computer (director) and start linux with the LVS Kernel
> - I type cd /proc/sys/net/ipv4/vs
> - I type echo 1 > drop_entry
May be you need to tune amemthresh. 1024 pages (4MB) are too
low value. What shows "free" under attack? You can try with 1/8 RAM size
for example. You know what is the main goal of these defense strategies:
to keep free memory in the director. Nothing more. They are activated
according to the free memory size. The packet rate is not considered.
So, 1,000,000 entries created from the other tool occupy
128MB memory. You have 256MB :) Boot with mem=128MB or set amemthresh
to 32768 or run testlvs with more source addresses (2,000,000). I'm
not sure if the last will help if the other tool you use does not
limit the number of spoofed addresses. But don't run testlvs with
less than -srcnum 2000000. If the setup allows rate > 33,333 packets/sec
LVS can create 2,000,000 entries that expire for 60 seconds (the
SYN_RECV timeout). Better not to use the -random option in testlvs
for this test.
So, you can test with such large values but make sure you
tune amemthresh in production with the best value for your director.
The default value is not very useful. You can test whether 1/8 is
a good value (8192 for 4K page size).
Regards
--
Julian Anastasov <ja@xxxxxx>
|