[lvs-users] Reduce effects of syn flood attacks

To:	lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject:	[lvs-users] Reduce effects of syn flood attacks
From:	DjinnS <djinns@xxxxxxxxxxxx>
Date:	Sun, 10 Feb 2013 17:25:17 +0100

Bonjour,

We are facing several syn flood attacks since the last 2 weeks.

We use IPVS boxes in top of our infrastructure directly after our 
routers. We use IPVS with the option “Netfilter connection tracking”. 
So, our boxes (2 boxes in active/backup) made filtering and 
load-balancing. We use IPVS in NAT mode and a 3.0.36 kernel.

For the moment, we reduce effects of syn flood attacks with our routers 
(discard traffic). But we are interested by doing this job on our 
firewalls. We see a lot of discussions about these subjects and I have a 
few questions for the community and your experiences with these situations.

First, we know about LVS defense strategies against DoS attack 
(http://www.linuxvirtualserver.org/docs/defense.html). These options are 
disabled for the moment but we think activate them.
* How to determine the value for /proc/sys/net/ipv4/vs/amemthresh ? Our 
boxes have 4Gb of memories.
* In the case of using /proc/sys/net/ipv4/vs/drop_packet in the mode 3, 
how to configure the good value for /proc/sys/net/ipv4/vs/am_droprate ?
* Regarding to /proc/sys/net/ipv4/vs/secure_tcp, we see in the 
documentation (web+man) that we can customize some timeouts. But we 
can't find the following entries in the /proc directory:

/proc/sys/net/ipv4/vs/timeout_close
/proc/sys/net/ipv4/vs/timeout_closewait
/proc/sys/net/ipv4/vs/timeout_established
/proc/sys/net/ipv4/vs/timeout_finwait
/proc/sys/net/ipv4/vs/timeout_icmp
/proc/sys/net/ipv4/vs/timeout_lastack
/proc/sys/net/ipv4/vs/timeout_listen
/proc/sys/net/ipv4/vs/timeout_synack
/proc/sys/net/ipv4/vs/timeout_synrecv
/proc/sys/net/ipv4/vs/timeout_synsent
/proc/sys/net/ipv4/vs/timeout_timewait
/proc/sys/net/ipv4/vs/timeout_udp

As I said before, we use 3.0 kernel. Is there a change about this 
entries ? We just have this entries:

am_droprate
amemthresh
cache_bypass
conntrack
drop_entry
drop_packet
expire_nodest_conn
expire_quiescent_template
lblc_expiration
lblcr_expiration
nat_icmp_send
secure_tcp
snat_reroute
sync_threshold
sync_version

We also read discussions about the performance impact of connection 
tracking support. A lot of people recommend to disable connection 
tracking because it’s consume a lot of CPU and memory, especially during 
syn flood attacks. But, after all, connection tracking should help CPU 
by reducing time to look at “accepted connection”. So, do you have 
experience without connection tracking enabled and impact during syn 
flood attacks ? Can we continue to use LB+Filtering on the same box 
without connection tracking enabled ? Or, do we need to just use the 
“raw” table in iptables to bypass connection tracking for destination 
port targeted by these attacks ?

Thank you in advance.

Regards,

--
Guillaume

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread]	Current Thread	[Next in Thread>
[lvs-users] Reduce effects of syn flood attacks, DjinnS <= Re: [lvs-users] Reduce effects of syn flood attacks, Julian Anastasov

Previous by Date:	Re: [lvs-users] SYN spiraling between master and slave IPVS balancers, Dmitry Akindinov
Next by Date:	[lvs-users] Mysterious lvs entry in ganglia, Laurence Marks
Previous by Thread:	[lvs-users] SYN spiraling between master and slave IPVS balancers, Dmitry Akindinov
Next by Thread:	Re: [lvs-users] Reduce effects of syn flood attacks, Julian Anastasov
Indexes:	[Date] [Thread] [Top] [All Lists]