Hello IPVS Folks, The special 2.6 kernel Patch against IPVS Syn flood went NOT into upstream kernels.
From my security Oblogations - that may still an task to investigate if that may still needed . Syn Floods , expecialy SNY bind9 RELAY Floods , are the today most used threads. Few days ago , i.e the raspberry.org was exactly hit by this with +1GB/s peak .. see http://www.raspberrypi.org/archives/3935 . They USE 4 IPVS systems to balance the traffik. Therefore - for IPVS security Obligations - the SNY Flood traffik should be stopped at the earlierst point : the IPVS systems its self. As i said last week and someone agreed here : its TIME for an NEW Productive STABLE IPVS(adm) release. Either for sutch network security Concerns. -- Mit freundlichen Grüßen / Best Regards Horst Venzke ; PGP NET : 1024G/082F2E6D ; http://www.remsnet.de Legal Notice: This transmittal and/or attachments may be privileged or confidential. It is intended solely for the addressee named above. Any review, dissemination, or copying is strictly prohibited. If you received this transmittal in error, please notify us immediately by reply and immediately delete this message and all its attachments. Thank you. Gesendet: Dienstag, 14. Mai 2013 um 00:09 Uhr Von: "Ivan Havlicek" <[email protected]> An: [email protected] Betreff: Re: [lvs-users] IPVS SYN-cookies > We're looking to implement IPVS load balancers in front of our web > servers, and we'd like to have the IPVS directors generate SYN cookies > in case of a flood, instead of passing them down to the realservers. Hi Alex, Sorry, but as far as i understand SYN cookies, only the real server can do that as the TCP transaction is between client and real server (IPVS does only DNAT) But you can also "limit" the VIP to try to prevent SYN flood attacks (just exemple): iptables -I INPUT -i eth0 -p tcp --syn -j syn-flood iptables -N syn-flood iptables -A syn-flood -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "syn-flood:" iptables -A syn-flood -p tcp --tcp-flags ALL ALL -j REJECT --reject-with tcp-reset iptables -A syn-flood -p tcp -m limit --limit 500/second --limit-burst 5 -j RETURN iptables -A syn-flood -p tcp -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "syn-flood-LIMIT(>500/s):" iptables -A syn-flood -p tcp -j DROP Hope usefull.. -- Ivan _______________________________________________ Please read the documentation before posting - it's available at: [1]http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to [2]http://lists.graemef.net/mailman/listinfo/lvs-users References 1. http://www.linuxvirtualserver.org/ 2. http://lists.graemef.net/mailman/listinfo/lvs-users _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
