|
Hello,
On Mon, 24 Sep 2001, Matthew S. Crocker wrote:
> One feature I would like to have in LVS is the ability to limit the number
> of new connections/sec from a specific IP address. Now that I have 4 Real
> Servers in my LVS handling mail, the spammers just love opening a couple
> thousand connections to send in the mail. I end up block most at the
> mail server but the connections still show up in LVS.
>
> I know this would be dangerous and could open up DoS attacks by forging
> inbound connections but if something could be done it would be great.
Option 1 (may be stupid but interesting for non-NAT clusters):
May be an array from policers, for example, 1024 policers or
an user-defined value, power of 2. Each client hits one of the policers
based on their IP/Port. This is mostly a job for QoS ingress, even the
distributed attack but may be something can be done for LVS? May be we
better to develop a QoS Ingress module? The key could be derived
from CIP and CPORT, may be something similar to SFQ but without queueing.
It can be implemented may be as a patch to the normal policer but with
one argument: the real number of policers. Then this extended policer
can look into the TCP/UDP packets to redirect each packet to one of the
real policers.
Option 2 (for NAT only):
Run SFQ qdisc on your external interface(s). It seems this is
not a solution for DR method. Of course, one can run SFQ on its uplink
router.
Option 3 (Linux 2.4 only):
iptables has support to limit the traffic but I'm not sure
whether it is useful for your requirements. I assume you want to set
limit to each one of these 1024 aggregated flows.
> -Matt
Regards
--
Julian Anastasov <ja@xxxxxx>
|
