LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: udp flood tool crashes LVS-NAT from the inside

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: udp flood tool crashes LVS-NAT from the inside
From: Graeme Fowler <graeme@xxxxxxxxxxx>
Date: Sat, 6 Nov 2004 12:00:35 +0000 (GMT)
On Sat, 6 Nov 2004, Mickey Everts wrote:
> Today I had an incident at work where an attacker used a PHP exploit to grab
> the following script and run it from one of our "real servers" (running as
> apache's permissions):
> http://www.packetstormsecurity.org/DoS/udp.pl

Ouch. Common, sadly, but ouch.

> This rather short script brought our LVS box, a 3 GHz Pentium 3 system with
> dual gigabit interfaces, to its knees.  Note that it's actually connected to
> a 100megabit interface.  Obviously we want to secure our real servers, but
> is there any way to stop this kind of thing from killing our LVS server so
> easily?

You could not only "harden" your systems, but also consider using the iptables 
'limit' module and/or Linux QoS tools to limit arbitrary outbound traffic. If 
you know that your webserver isn't going to initiate outbound connections, for 
example, you can create policies to squash packet and bit rates from arbitrary 
ports without breaking Apache's return traffic.

I've seen gigabit-connected servers (and 100 meg, too) bring entire Cisco 
based networks to their knees in a matter of seconds simply by creating floods 
of tens (or hundreds) of thousands of packets per second. Everything has a 
limit as to how many packets it can shovel, and if you hit that limit then 
things start to break.

In a nutshell, the short answer is no!

Graeme

<Prev in Thread] Current Thread [Next in Thread>