LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] IPVS SYN-cookies

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: [lvs-users] IPVS SYN-cookies
From: Ivan Havlicek <ivan@xxxxxxxxxxx>
Date: Tue, 14 May 2013 00:09:22 +0200
> We're looking to implement IPVS load balancers in front of our web
> servers, and we'd like to have the IPVS directors generate SYN cookies
> in case of a flood, instead of passing them down to the realservers.

Hi Alex,

Sorry, but as far as i understand SYN cookies, only the real server can
do that as the TCP transaction is between client and real server (IPVS
does only DNAT)

But you can also "limit" the VIP to try to prevent SYN flood attacks
(just exemple):

iptables -I INPUT -i eth0 -p tcp --syn -j syn-flood iptables -N syn-flood
iptables -A syn-flood -p tcp --tcp-flags ALL ALL -m limit --limit
5/minute -j LOG --log-level alert --log-prefix "syn-flood:"
iptables -A syn-flood -p tcp --tcp-flags ALL ALL -j REJECT --reject-with
tcp-reset
iptables -A syn-flood -p tcp -m limit --limit 500/second --limit-burst 5
-j RETURN
iptables -A syn-flood -p tcp -m limit --limit 5/minute -j LOG
--log-level alert --log-prefix "syn-flood-LIMIT(>500/s):"
iptables -A syn-flood -p tcp -j DROP

Hope usefull..
--
                    Ivan


_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread] Current Thread [Next in Thread>