|
Hello Ivan,
OK, i explain my View more.
I had that Issue allready an at Big Iron EU customer - they still use 2.6
Longterm Kernels due that the patch not into 3.x .
Well with LVS-NAT the Real-Servers are BEHIND the IPVS at allmost second
network with route via IPVS ..
( up to spec by Standard LVS-NAT Howto´s )
So the SNY traffik PASSED the LB servers to real AND BACK
The real servers Over-FLOOD the LB (IPVS ) systems with traffik amounts they
not shuold.
And exacly for that the 2.6x SYNPROXY IPVS patch was made years ago.
In fackt - SNY Flood Traffik got not generated by Realservers due that
SYNPROXY by LB systems using IPVS-NAT
Modern Comercial Driven LB´s behave so today( like IBM´s i.e ) .
Right --- the realservers shuold handel allmost the traffik.
But for LVS-NAT its an issue due the traffik AMOUNT passes the Interfaces
and keeps the LB systems tooo quickly busy.
This issue not apply for LVS-DR and LVS-TUN , as the outbound traffik back
commes directly by REAL servers to the requested client(s).
And Right , to have an Firewall ( Cluster..) in front of an Webfarm , are
allways an Major solution .
Hope you got me more.
--
Mit freundlichen Grüßen / Best Regards
Horst Venzke ; PGP NET : 1024G/082F2E6D ; http://www.remsnet.de
Legal Notice: This transmittal and/or attachments may be privileged or
confidential. It is intended solely for the addressee named above. Any
review, dissemination, or copying is strictly prohibited. If you received
this transmittal in error, please notify us immediately by reply and
immediately delete this message and all its attachments. Thank you.
Gesendet: Dienstag, 14. Mai 2013 um 19:49 Uhr
Von: "Ivan Havlicek" <ivan@xxxxxxxxxxx>
An: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Betreff: Re: [lvs-users] IPVS SYN-cookies -> IPVS security patch not 3.x
kernels
Le 14/05/2013 08:51, Horst Venzke-Fa Remsnet Ltd a écrit :
> Therefore - for IPVS security Obligations - the SNY Flood traffik should
be
> stopped at the earlierst point : the IPVS systems its self.
It is a view that I do not share.
I prefer to use the solution to "limit" at the IPVS IP server and use
the SYN Cookies on the real servers.
Maybe I'm wrong, but I prefer distribute the attack on the real servers
rather than take the risk of dropping the IPVS directorhimself.
As the only way is to rewrite something which permit to do the SYNPROXY
for kernel 3.x series, perhaps you should find another way to obtain
this result. If there is a high risk of DoS in your case, perhaps
putting some equipments to manage that before the IPVS server should be
another good solution.
Best regards
--
Ivan
_______________________________________________
Please read the documentation before posting - it's available at:
[1]http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to [2]http://lists.graemef.net/mailman/listinfo/lvs-users
References
1. http://www.linuxvirtualserver.org/
2. http://lists.graemef.net/mailman/listinfo/lvs-users
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
