Hi,
I think that your real servers are syn-flooded, so that nanny cannot get
responses from the real servers in the specified timeout, then remove
them from the scheduling list.
The buffer size of a port for connections in Linux is 128, that in NT is
56. Different OSes have different buffer size. Since you have three real
servers, your first time and second time testlvs doesn't reach the sum
of buffer size of the real servers, but at the third time testlvs has
sent syn packets exceed the size of the real servers, all the real
servers are syn-flooded. After the real servers recover (timeout
half-open connections), nanny can get response from the real servers,
and add them back to the scheduling list.
If you are running Linux on the real servers, you can configure SYN
cookie to protect the real servers themselves.
[ ] IP: TCP syncookie support (not enabled per default)
I am thinking about how to make the LVS box protect the real servers
from sys-flooding attack (if the real servers cannot protect
themselves), except the LVS box can protect itself from sys-flooding
attack. I thought that after the number of connections in SYN-Received
modes exceeds the specified threshold, then the LVS box will switch to
the sys-flooding defense mode, it will use syscookie to accept
connections and relay connections between clients and servers. However,
the performance will degrade. Any other ideas?
Regards,
Wensong
On Mon, 18 Dec 2000, Andrea Cazzola wrote:
> This is my normal output for ipvsadm
>
> IP Virtual Server version 0.9.14 (size=4096)
> Prot LocalAddress:Port Scheduler Flags
> -> RemoteAddress:Port Forward Weight ActiveConn InActConn
> TCP virtual09.mydomains.it:www wlc
> -> real02.mydomains.it:www Route 1 0 0
> -> real04.mydomains.it:www Route 1 0 0
> -> real03.mydomains.it:www Route 1 0 0
> TCP virtual08.mydomains.it:www wlc
> -> real04.mydomains.it:www Route 1 0 0
> ........
> TCP virtual02.mydomains.it:www wlc
> -> real02.mydomains.it:www Route 1 0 0
> -> real03.mydomains.it:www Route 1 0 0
> -> real04.mydomains.it:www Route 1 0 0
> TCP virtual01.mydomains.it:www wlc
> -> real04.mydomains.it:www Route 1 0 0
> -> real02.mydomains.it:www Route 1 0 0
> -> real03.mydomains.it:www Route 1 0 0
>
> I have downloaded run
> http://www.linuxvirtualserver.org/julian/testlvs-0-1.tar.gz then i've run it
> with the script:
> ./testlvs 123.123.123.111:80 -tcp -srcnet 10.3.0.1 -srcnum 254 -packets 100
> ....
> ./testlvs 123.123.123.999:80 -tcp -srcnet 10.3.0.1 -srcnum 254 -packets 100
> where 123.123.123.111-999 are virtual server IP's
>
> First time and second time all OK, but third time ipvsadm delete all real
> servers ;
> ipvsadm -l return this output and refuse all -a option for about 6 minute:
>
> IP Virtual Server version 0.9.14 (size=4096)
> Prot LocalAddress:Port Scheduler Flags
> -> RemoteAddress:Port Forward Weight ActiveConn InActConn
> TCP virtual08.mydomains.it:www wlc
> TCP virtual09.mydomains.it:www wlc
> TCP virtual03.mydomains.it:www wlc
> TCP virtual01.mydomains.it:www wlc
>
> After this it seems that all return to work fine.
> Any idea?
>
> Andrea
>
>
>
>
> _______________________________________________
> Piranha-list mailing list
> Piranha-list@xxxxxxxxxx
> https://listman.redhat.com/mailman/listinfo/piranha-list
>
|