|
Hello,
If you can _really_ figure out a metric for mutually exclusive TCP/SYN
patterns
generated by existing worms and write it down in a mathematical formula which
has lower false positive rate than any TCP/QoS "defense" mechanism using
stochastic (timed) fairness approach I think you will not need to worry about
money anymore in future. In fact a lot of very influencing people in the
Internet business might feel the sudden urge to talk to you! ;)
Its good to have feedback from big guys like you and Dave - though both of you
I'm steadily losing weight currently :)
are standing with opposite opinion each other regarding syncokies. Anyway, I
will try everything step by step and get back to you.
Very good and I think we already agreed.
Test 1 (already started): one W2K server + IIS without any microsoft patch is
kept ON to simulate nimda attack to the proxies. after watching the nimda hit
in the proxy's access log, I will enable syscookies in the directors and
proxies. I will let you know the result - if it can drop the SYN packet.
Ok. How do you simulate false positives, like AOL trying to access your
site?
Test 2: limit SYNs from a certain IP using QoS in 2.2.x kernels
Test 3: I will try to make work TP with kernel 2.4.x and will try to drop SYN
packet in the director using iptables iplimit (Not for money ratz! just a try)
:)
Test 4: Use the tcp_defense mechanism in LVS
This might not be better then the other ones, it might start to drop
legimit traffic.
Test 5: As per ratz's advice "If you have spare hardware you should really
think about setting up a proxy-like bastion in front of your RS. Something like
apache reverse proxy or mod_rewrite and then define rules in terms of what is
allowed to get to your RS' and drop'n'log the rest."
Look, I'm glad you take my pieces of advice with a grain of salt. I mean
if you find an easy way to fix 90% of your problems in 10% of the time
then of course go for it.
Take care and good luck for your test conducts,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc
|
