|
Hi,
Am a happy ipvs user for many years, but I was recently troubled by a syn
flood that took our redundant LVS-DR directors down (too many eth interrupts
to even use the console). I noticed that
http://www.linuxvirtualserver.org/docs/defense.html is quite outdated, as
the sysctl variables aren't even in recent kernels anymore. So I wonder if
anyone can refer me to any recent syn flood mitigation strategies. I assume
the secure_tcp and drop_packet functionality has been merged with the
netfilter code, but I couldnt find any relevant info.
In my setup, the default gateway for the 150+ realservers is also the
director. The realservers are on a private network. Apparently, if a
realserver receives a syn packet from a spoofed ip, it will reply six times
in 1 minute. So the flooder has a multiplier of 6, which seems the first
thing to fix. Now I wonder what everyone else out there is using as sane
sys.net.ipv4 parameters, besides the obvious tcp_synack_retries (2?)
and tcp_syncookies ?
Cheers!
Willem
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
