Re: ip_vs_random

To:	Jacob Coby <jcoby@xxxxxxxxxxxxxxx>
Subject:	Re: ip_vs_random_dropentry
Cc:	"LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
From:	Julian Anastasov <ja@xxxxxx>
Date:	Thu, 29 Sep 2005 08:01:42 +0300 (EEST)

        Hello,

On Wed, 28 Sep 2005, Jacob Coby wrote:

> I've been looking at the source code for ipvs 1.0.10 and noticed that
> ip_vs_random_dropentry does not send a RESET packet to the realserver.
> It is my understanding that this feature is to prevent SYN flood (and
> related) attacks, but it doesn't seem like it would be effective as the
> realserver will continue to SYN/ACK until it reaches tcp_synack_retries.
>   You've potentially saved the director from attack, but lost the
> realserver(s).

        In old days we were sending ICMP error, now it is disabled with
nat_icmp_send sysctl. Is it enabled in your setup?

> Am I missing something, or is this by design?

Regards

--
Julian Anastasov <ja@xxxxxx>

<Prev in Thread]	Current Thread	[Next in Thread>
ip_vs_random_dropentry, Jacob Coby Re: ip_vs_random_dropentry, Julian Anastasov <= Re: ip_vs_random_dropentry, Jacob Coby Re: ip_vs_random_dropentry, Julian Anastasov

Previous by Date:	Re: LVS with DNS?, Dan Trainor
Next by Date:	Re: newbie trying to setup simple load balancer, sipieter nicolas
Previous by Thread:	ip_vs_random_dropentry, Jacob Coby
Next by Thread:	Re: ip_vs_random_dropentry, Jacob Coby
Indexes:	[Date] [Thread] [Top] [All Lists]

Re: ip_vs_random_dropentry