Julian Anastasov wrote:
>
> Hello,
>
> On Thu, 23 Nov 2000, joern maier wrote:
>
> > > You can't SYN flood the director with 3 clients only. You need
> > > more clients. As alternative, you can download "testlvs" from the web
> > > site. What shows ipvsadm -Ln under attack? How you activate drop_entry?
> > > What shows "cat drop_entry" ?
> > >
> >
> > I dowloaded testlvs and flooded my System with it. With two clients, my
> > LVS
> > gets to a denial of service, allthough when I´m doing "cat drop_entry"
> > it still
> > shows me a "1". ipvsadm -Ln shows me:
> >
> > 192.168.10.1:80 lc
> > 192.168.1.4:80 Tunnel 1 0 33246
> > 192.168.1.3:80 Tunnel 1 0 33244
> > 192.168.1.2:80 Tunnel 1 0 33246
>
> May be you run testlvs with 100,000 source addresses.
>
> > during the flooding attack the connection values stay around this size.
> > Using the SYN-Flood tool with which I tried it before, ivsadm shows me
> > this:
> >
> > 192.168.10.1:80 lc
> > 192.168.1.4:80 Tunnel 1 0 356046
> > 192.168.1.3:80 Tunnel 1 0 355981
> > 192.168.1.2:80 Tunnel 1 0 356013
> >
> > so it shows me about ten times as many connectios as your tool. I took a
> > look
> > at the packets, both are quiet similar, they only differ in the
> > Windowsize
> > (testlvs has 0, the other tool uses a size of 65534) and sequence
> > numbers (o.k.
> > checksum as well)
> >
> > I am activating drop entry like this:
> >
> > - I switch on my computer (director) and start linux with the LVS Kernel
> > - I type cd /proc/sys/net/ipv4/vs
> > - I type echo 1 > drop_entry
>
> May be you need to tune amemthresh. 1024 pages (4MB) are too
> low value. What shows "free" under attack? You can try with 1/8 RAM size
> for example. You know what is the main goal of these defense strategies:
> to keep free memory in the director. Nothing more. They are activated
> according to the free memory size. The packet rate is not considered.
>
> So, 1,000,000 entries created from the other tool occupy
> 128MB memory. You have 256MB :) Boot with mem=128MB or set amemthresh
> to 32768 or run testlvs with more source addresses (2,000,000). I'm
> not sure if the last will help if the other tool you use does not
> limit the number of spoofed addresses. But don't run testlvs with
> less than -srcnum 2000000. If the setup allows rate > 33,333 packets/sec
> LVS can create 2,000,000 entries that expire for 60 seconds (the
> SYN_RECV timeout). Better not to use the -random option in testlvs
> for this test.
>
> So, you can test with such large values but make sure you
> tune amemthresh in production with the best value for your director.
> The default value is not very useful. You can test whether 1/8 is
> a good value (8192 for 4K page size).
>
that sounds all good to me, but what I´m really wondering about is, why
has the drop_entry variable still a value of 1 => I thought it has to be
2 when
my System is under attack ? To me it looks like LVS does not even think
it´s under attack and therefore does not use the drop_entry mechanism
cheers,
Joern
|