|
Hello,
On Mon, 8 Oct 2001, Michael McConnell wrote:
> In the event that I run out. I believe this could result in a very easy DoS,
> lets say I have a timeout of 2 hours, and all my systems run behind a
> IPCHAINS Firewall. It would be very simple to execute an attack that
> established 30,000 TCP connections. All of the connections would be pending
> a 2 hour timeout, and damn, DoS...
Yes, without a timeout values specific for each LVS virtual
service and another for the masqueraded connections it is difficult
to play such games. It seems only one timeout needs to be separated,
the TCP EST timeout. The reason that such support is not in 2.2 is
may be because nobody wants to touch the user structures. IMO, it can
be added for 2.4 if there are enough free options in ipvsadm but
it also depends on some implementation details.
> Knowning how to deal with such an event would be a good thing.
If you worry for the free memory you can use some defense
strategies:
echo 1 > drop_entry
http://www.linuxvirtualserver.org/docs/defense.html
> Thanks,
>
> Michael
Regards
--
Julian Anastasov <ja@xxxxxx>
|
