|
Hello IPVS Folks,
The special 2.6 kernel Patch against IPVS Syn flood went NOT into upstream
kernels.
From my security Oblogations - that may still an task to investigate if that
may still needed .
Syn Floods , expecialy SNY bind9 RELAY Floods , are the today most used
threads.
Few days ago , i.e the raspberry.org was exactly hit by this with +1GB/s
peak .. see http://www.raspberrypi.org/archives/3935 .
They USE 4 IPVS systems to balance the traffik.
Therefore - for IPVS security Obligations - the SNY Flood traffik should be
stopped at the earlierst point : the IPVS systems its self.
As i said last week and someone agreed here : its TIME for an NEW
Productive STABLE IPVS(adm) release.
Either for sutch network security Concerns.
--
Mit freundlichen Grüßen / Best Regards
Horst Venzke ; PGP NET : 1024G/082F2E6D ; http://www.remsnet.de
Legal Notice: This transmittal and/or attachments may be privileged or
confidential. It is intended solely for the addressee named above. Any
review, dissemination, or copying is strictly prohibited. If you received
this transmittal in error, please notify us immediately by reply and
immediately delete this message and all its attachments. Thank you.
Gesendet: Dienstag, 14. Mai 2013 um 00:09 Uhr
Von: "Ivan Havlicek" <ivan@xxxxxxxxxxx>
An: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Betreff: Re: [lvs-users] IPVS SYN-cookies
> We're looking to implement IPVS load balancers in front of our web
> servers, and we'd like to have the IPVS directors generate SYN cookies
> in case of a flood, instead of passing them down to the realservers.
Hi Alex,
Sorry, but as far as i understand SYN cookies, only the real server can
do that as the TCP transaction is between client and real server (IPVS
does only DNAT)
But you can also "limit" the VIP to try to prevent SYN flood attacks
(just exemple):
iptables -I INPUT -i eth0 -p tcp --syn -j syn-flood iptables -N syn-flood
iptables -A syn-flood -p tcp --tcp-flags ALL ALL -m limit --limit
5/minute -j LOG --log-level alert --log-prefix "syn-flood:"
iptables -A syn-flood -p tcp --tcp-flags ALL ALL -j REJECT --reject-with
tcp-reset
iptables -A syn-flood -p tcp -m limit --limit 500/second --limit-burst 5
-j RETURN
iptables -A syn-flood -p tcp -m limit --limit 5/minute -j LOG
--log-level alert --log-prefix "syn-flood-LIMIT(>500/s):"
iptables -A syn-flood -p tcp -j DROP
Hope usefull..
--
Ivan
_______________________________________________
Please read the documentation before posting - it's available at:
[1]http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to [2]http://lists.graemef.net/mailman/listinfo/lvs-users
References
1. http://www.linuxvirtualserver.org/
2. http://lists.graemef.net/mailman/listinfo/lvs-users
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
