On 2017-10-24 20:18:30 +0900 (+0900), Jean-Philippe Méthot wrote: > We’ve just recently been hit on by a low-level DDoS on one of our > compute nodes. The attack was fulling our conntrack table while > having no noticeable impact on our server load, which is why it > took us a while to detect it. Is there any recommended practice > regarding server configuration to reduce the impact of a DDoS on > the whole compute node and thus, prevent it from going down? I > understand that increasing the size of the conntrack table is one, > but outside of that?
You might want to look into using iptables -j REJECT -m connlimit --connlimit-above some threshold with matches for the individual ports' addresses... I'm not a heavy on this end of operations but others here probably know how to add hooks for something like that. Of course this only moves the denial of service down to the individual instance being targeted or used rather than knocking the entire compute node offline (hopefully anyway), and is no substitute for actual attack mitigation devices/services inline on the network. -- Jeremy Stanley
signature.asc
Description: Digital signature
_______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators