LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: DoS protection strategies

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: DoS protection strategies
From: Graeme Fowler <graeme@xxxxxxxxxxx>
Date: Tue, 18 Apr 2006 19:48:52 +0100
Hi

On Tue, 2006-04-18 at 17:53 +0200, Willem de Groot wrote:
> To my surprise, opening 150 tcp connections to a default apache
> installation is enough to effectively DoS it for a few minutes (until
> connections time out). This could be circumvented by using
> mod_throttle, mod_bwshare or mod_limitipconn but imho a much better
> place to solve this is at the LVS loadbalancer. Which already does
> source IP tracking for the "persistency" feature.

This is an application (Apache) configuration issue, not really a load
balancing issue at all.

A default Apache configuration shouldn't, ideally, be in production. The
MaxClients setting is 150 (may be higher depending on distro and choice
of MPM) for a reason, which is that not everyone has the same hardware
and resource availability. It's better that you're given a limited
resource version than one which immediately spins away and causes your
server to expire due to lack of memory, for example.

> Did anyone implement such a feature? Considerations?

In LVS? No - this is a problem which LVS itself can't help with, given
that the concept of true feedback isn't implemented.

If you spend the time to get to know your server, you'll find that you
can sort out this sort of resource famine quite easily by tuning Apache,
with the caveat that it will _always_ be possible to cause Apache (or
any other webserver for that matter) to fall over by flooding it. Think
about the infamous "Slashdot effect".

You could, in theory, do some limiting with netfilter/iptables on the
director, but that's OT for this list.

> A sample script to test your webhosting provider:
<snip>

...or just use ApacheBench, which comes with Apache :)

Graeme


<Prev in Thread] Current Thread [Next in Thread>