> We're looking to implement IPVS load balancers in front of our web > servers, and we'd like to have the IPVS directors generate SYN cookies > in case of a flood, instead of passing them down to the realservers. Hi Alex,
Sorry, but as far as i understand SYN cookies, only the real server can do that as the TCP transaction is between client and real server (IPVS does only DNAT) But you can also "limit" the VIP to try to prevent SYN flood attacks (just exemple): iptables -I INPUT -i eth0 -p tcp --syn -j syn-flood iptables -N syn-flood iptables -A syn-flood -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "syn-flood:" iptables -A syn-flood -p tcp --tcp-flags ALL ALL -j REJECT --reject-with tcp-reset iptables -A syn-flood -p tcp -m limit --limit 500/second --limit-burst 5 -j RETURN iptables -A syn-flood -p tcp -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "syn-flood-LIMIT(>500/s):" iptables -A syn-flood -p tcp -j DROP _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
