Hello Ivan, OK, i explain my View more. I had that Issue allready an at Big Iron EU customer - they still use 2.6 Longterm Kernels due that the patch not into 3.x .
Well with LVS-NAT the Real-Servers are BEHIND the IPVS at allmost second network with route via IPVS .. ( up to spec by Standard LVS-NAT Howto´s ) So the SNY traffik PASSED the LB servers to real AND BACK The real servers Over-FLOOD the LB (IPVS ) systems with traffik amounts they not shuold. And exacly for that the 2.6x SYNPROXY IPVS patch was made years ago. In fackt - SNY Flood Traffik got not generated by Realservers due that SYNPROXY by LB systems using IPVS-NAT Modern Comercial Driven LB´s behave so today( like IBM´s i.e ) . Right --- the realservers shuold handel allmost the traffik. But for LVS-NAT its an issue due the traffik AMOUNT passes the Interfaces and keeps the LB systems tooo quickly busy. This issue not apply for LVS-DR and LVS-TUN , as the outbound traffik back commes directly by REAL servers to the requested client(s). And Right , to have an Firewall ( Cluster..) in front of an Webfarm , are allways an Major solution . Hope you got me more. -- Mit freundlichen Grüßen / Best Regards Horst Venzke ; PGP NET : 1024G/082F2E6D ; http://www.remsnet.de Legal Notice: This transmittal and/or attachments may be privileged or confidential. It is intended solely for the addressee named above. Any review, dissemination, or copying is strictly prohibited. If you received this transmittal in error, please notify us immediately by reply and immediately delete this message and all its attachments. Thank you. Gesendet: Dienstag, 14. Mai 2013 um 19:49 Uhr Von: "Ivan Havlicek" <[email protected]> An: [email protected] Betreff: Re: [lvs-users] IPVS SYN-cookies -> IPVS security patch not 3.x kernels Le 14/05/2013 08:51, Horst Venzke-Fa Remsnet Ltd a écrit : > Therefore - for IPVS security Obligations - the SNY Flood traffik should be > stopped at the earlierst point : the IPVS systems its self. It is a view that I do not share. I prefer to use the solution to "limit" at the IPVS IP server and use the SYN Cookies on the real servers. Maybe I'm wrong, but I prefer distribute the attack on the real servers rather than take the risk of dropping the IPVS directorhimself. As the only way is to rewrite something which permit to do the SYNPROXY for kernel 3.x series, perhaps you should find another way to obtain this result. If there is a high risk of DoS in your case, perhaps putting some equipments to manage that before the IPVS server should be another good solution. Best regards -- Ivan _______________________________________________ Please read the documentation before posting - it's available at: [1]http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to [2]http://lists.graemef.net/mailman/listinfo/lvs-users References 1. http://www.linuxvirtualserver.org/ 2. http://lists.graemef.net/mailman/listinfo/lvs-users _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
