|
Hi,
I am changing the subject of the message to make relevant the discussion.
> If you can _really_ figure out a metric for mutually exclusive TCP/SYN
> patterns
> generated by existing worms and write it down in a mathematical formula which
>
> has lower false positive rate than any TCP/QoS "defense" mechanism using
> stochastic (timed) fairness approach I think you will not need to worry about
>
> money anymore in future. In fact a lot of very influencing people in the
> Internet business might feel the sudden urge to talk to you! ;)
Its good to have feedback from big guys like you and Dave - though both of you
are standing with opposite opinion each other regarding syncokies. Anyway, I
will try everything step by step and get back to you.
Test 1 (already started): one W2K server + IIS without any microsoft patch is
kept ON to simulate nimda attack to the proxies. after watching the nimda hit
in the proxy's access log, I will enable syscookies in the directors and
proxies. I will let you know the result - if it can drop the SYN packet.
Test 2: limit SYNs from a certain IP using QoS in 2.2.x kernels
Test 3: I will try to make work TP with kernel 2.4.x and will try to drop SYN
packet in the director using iptables iplimit (Not for money ratz! just a try)
Test 4: Use the tcp_defense mechanism in LVS
Test 5: As per ratz's advice "If you have spare hardware you should really
think about setting up a proxy-like bastion in front of your RS. Something like
apache reverse proxy or mod_rewrite and then define rules in terms of what is
allowed to get to your RS' and drop'n'log the rest."
> Best regards and please don't let me be in your way,
Thanks and I will not..
Faruk
----------------------------------------------------------
This mail sent through AIT WebMail : http://www.ait.ac.th/
|
