|
Julian Anastasov wrote:
Hello,
On Wed, 28 Sep 2005, Jacob Coby wrote:
I've been looking at the source code for ipvs 1.0.10 and noticed that
ip_vs_random_dropentry does not send a RESET packet to the realserver.
It is my understanding that this feature is to prevent SYN flood (and
related) attacks, but it doesn't seem like it would be effective as the
realserver will continue to SYN/ACK until it reaches tcp_synack_retries.
You've potentially saved the director from attack, but lost the
realserver(s).
In old days we were sending ICMP error, now it is disabled with
nat_icmp_send sysctl. Is it enabled in your setup?
No, it is set to 0. I'm using DR; would this flag still have effect?
I only raise this issue because I've been having trouble with incomplete
connections due to buggy or overloaded NAT firewalls (or some other
factor that I can't trace). I'll see normal traffic and then a flood of
45+ SYN packets within 1.5 seconds. Or it'll generate a flood of EST
(SYN / SYN+ACK / ACK => EST) connections without sending data. I'm
thinking it's a bug (feature?) in the firewall when it gets overloaded
in that it "forgets" to send RESET or FIN packets. Or it misunderstands
the SYN+ACK retries from the realserver, or ... I'm out of ideas, and
just want to stop it from bringing down our site.
I'll be adding --syn limits to the iptables rules on the director next
week, but it still seems weird that LVS will drop a connection on the
director without letting the real server know it's dead. It's very
important, esp. when dealing with apache 1.3 or other server daemons
that fork and can take up lots of memory (and need to close connections
ASAP).
Am I missing something, or is this by design?
Regards
--
Julian Anastasov <ja@xxxxxx>
_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://www.in-addr.de/mailman/listinfo/lvs-users
--
-Jacob
|
