|
> >
> > --- if i can limit the simultenious SYN connections from the source IP
> using
> > iptables, I think that it is possible to fight against nimda.
>
> Have you tested this? And how do you know which SYN request will lead to a
> stream containing nimda? If you rate limit SYNs (also possible with 2.2.x
> kernels, check out QoS, backlog queue) you will most certainly punish legimit
>
> traffic.
My conception is, human usually do not eshtablish SYN connection as more as
Nimda or other worms, if I can determine a threshold of simultenious SYN
connection that nimda usually creates, probably I will be able to drop packets
from specific source IP which meet the threshold. There is chance of false
positive - I agree.
>
> You can rate limit SYNs from a certain IP using QoS in 2.2.x kernels or the
>
> limit target in iptables or you use the tcp_defense mechanism in LVS. There
> is
> nothing intelligent you can do at layer 4 against nimda, except maybe use u32
>
> qualifiers to filter them out; but then we have CR, CRII and all those
> variants
> of worms people come up with ... You will never address the root of the
> problem
> which lies at the application layer.
That's would be a useful thing to test using QoS in 2.2.x kernel - thanks for
this info. I will try it.
>
> > Any good solution ?
>
> If you have spare hardware you should really think about setting up a
> proxy-like
> bastion in front of your RS. Something like apache reverse proxy or
> mod_rewrite
> and then define rules in terms of what is allowed to get to your RS' and
> drop'n'log the rest.
I am not clear about this.
>
> >>ipchains -A input -s 0/0 -d 127.0.0.1/255.255.255.255 -j ACCEPT
> >>ipchains -A input -s 0/0 -d 0/0 80 -p tcp -j REDIRECT 80 -m 1
> >
> > Why do you need those two rules? What exactly are you trying to do here?
> I
> > think
> > you would like to fwmark the VIP but what for? But why the redirect?
> >
> > --- well, the rule 1 is useless, rule 2 is to fwmark and to redirect all
> > http traffic to real servers. I use heartbeat-ldirectord in the director.
>
> I still do not understand. The load balancer already does the redirection on
>
> incoming traffic to port 80. You do not seem to be running any other service
> so
> why don't you simply set up a VIP?
>
> AFAICR the last rule of yours will fetch incoming packets to any destination
> and
> port 80 (I wonder if you really want to do that) and redirect it to localhost
>
> port 80 and that's maybe why you have the second rule.
>
> Again, why don't you set up a VIP:80 service for your site?
That's a good point. i will do it.
Thanks again.
Faruk
----------------------------------------------------------
This mail sent through AIT WebMail : http://www.ait.ac.th/
|
