Hello,
On Tue, 2 Jul 2002, Benoit Gaussen wrote:
> Hi,
>
> I made a patch to limit the number of active connections per real server.
> It simply quiesces real servers that reaches their maxconns in the
> ip_vs_*_schedule function of schedulers, the same way it does for real
> servers with weight=0.
> Real servers with maxconns=0 have no limit.
>
> There is a little problem : when connections are created very fast, the
> scheduler does not see all of them as active yet. So when connections
> enters active state, their number may be higher than maxconns.
The word "little" does not make the attackers happy.
They waste their time for "big problems" :))) It seems you see
where is the flaw in such limits applied. You are going to die
on the first attack.
> Is that a feature that may interest LVS people, and that may be included in
> next LVS releases (in this form or other) ?
Ratz has patch for this, from long time:
http://www.linuxvirtualserver.org/~ratz/
I'm still not sure whether he persuaded himself about
how efficiently can be applied such policy. It makes only the
ipvsadm output happy about limiting the real servers. I'm still
not sure one can run it safely without worrying about problems.
Enter the QoS world, there are solutions there for such attacks.
We can search the solution also in running agents in the real
servers that can really tell us how hurt these connections, may
be web1 does not care about 100conns/sec while web2 is full
with 10conns/s. For this, you have to enter the cluster software
world :)
Regards
--
Julian Anastasov <ja@xxxxxx>
|