On Mon, Sep 24, 2001 at 03:27:06PM +0300, Julian Anastasov wrote:
>
> Option 1 (may be stupid but interesting for non-NAT clusters):
>
> May be an array from policers, for example, 1024 policers or
> an user-defined value, power of 2. Each client hits one of the policers
> based on their IP/Port. This is mostly a job for QoS ingress, even the
> distributed attack but may be something can be done for LVS? May be we
> better to develop a QoS Ingress module? The key could be derived
> from CIP and CPORT, may be something similar to SFQ but without queueing.
> It can be implemented may be as a patch to the normal policer but with
> one argument: the real number of policers. Then this extended policer
> can look into the TCP/UDP packets to redirect each packet to one of the
> real policers.
>
Speaking of the ingress policer, is anybody actually using it for
anti-DoS. I tried it several days ago using the script in the iproute2
package: iproute2/examples/SYN-DoS.rate.limit. It didn't work for me.
I've tested it against different 2.2 kernels (2.2.19-7.0.8(redhat
kernel), 2.2.19, 2.2.20preX, with all QoS related functions either
compiled into the kernel or as modules) and different versions of
iproute2. In all cases, tc fails to install the ingress qdisc policer:
root@panda:~# tc qdisc add dev eth0 handle ffff: ingress
RTNETLINK answers: No such file or directory
root@panda:~# /tmp/tc qdisc add dev eth0 handle ffff: ingress
RTNETLINK answers: No such file or directory
--
Wenzhuo
GnuPG Key 1024D/BA586A68
Key fingerprint = 89C7 C6DE D956 F978 3F12 A8AF 5847 F840 BA58 6A68
|