|
> We're looking to implement IPVS load balancers in front of our web
> servers, and we'd like to have the IPVS directors generate SYN cookies
> in case of a flood, instead of passing them down to the realservers.
Hi Alex,
Sorry, but as far as i understand SYN cookies, only the real server can
do that as the TCP transaction is between client and real server (IPVS
does only DNAT)
But you can also "limit" the VIP to try to prevent SYN flood attacks
(just exemple):
iptables -I INPUT -i eth0 -p tcp --syn -j syn-flood iptables -N syn-flood
iptables -A syn-flood -p tcp --tcp-flags ALL ALL -m limit --limit
5/minute -j LOG --log-level alert --log-prefix "syn-flood:"
iptables -A syn-flood -p tcp --tcp-flags ALL ALL -j REJECT --reject-with
tcp-reset
iptables -A syn-flood -p tcp -m limit --limit 500/second --limit-burst 5
-j RETURN
iptables -A syn-flood -p tcp -m limit --limit 5/minute -j LOG
--log-level alert --log-prefix "syn-flood-LIMIT(>500/s):"
iptables -A syn-flood -p tcp -j DROP
Hope usefull..
--
Ivan
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
