[lvs-users] IPVS SYN-cookies -> IPVS security patch not 3.x kernels

Horst Venzke-Fa Remsnet Ltd support at remsnet.de
Tue May 14 20:04:10 BST 2013

   Hello Ivan,

   OK,  i explain my View more.
   I had that Issue allready an at Big Iron  EU customer - they still use 2.6
   Longterm Kernels due that the patch not into 3.x .

   Well with LVS-NAT  the Real-Servers are BEHIND the IPVS at allmost second
   network with route via IPVS ..
   ( up to spec by Standard LVS-NAT Howto´s )

   So the  SNY traffik PASSED the LB servers to real    AND BACK
   The real servers Over-FLOOD the LB (IPVS ) systems with traffik amounts they
   not shuold.
   And exacly for that the 2.6x  SYNPROXY IPVS patch was made years ago.

   In fackt  - SNY Flood Traffik got not generated by Realservers due that
   SYNPROXY by  LB systems using IPVS-NAT
   Modern Comercial  Driven LB´s behave so today( like IBM´s i.e ) .

   Right --- the realservers shuold handel allmost the traffik.
   But for LVS-NAT its an issue  due the traffik AMOUNT passes the Interfaces
   and keeps the LB systems  tooo quickly busy.

   This issue not apply for LVS-DR and LVS-TUN , as the outbound traffik back
   commes directly by REAL servers to the requested client(s).
   And Right , to have an Firewall ( Cluster..)  in front of an Webfarm , are
   allways an Major solution .

   Hope you got me more.

   Mit freundlichen Grüßen / Best Regards
   Horst Venzke ; PGP NET : 1024G/082F2E6D ; http://www.remsnet.de
   Legal Notice: This transmittal and/or attachments may be privileged or
   confidential. It is intended solely for the addressee named above. Any
   review, dissemination, or copying is strictly prohibited. If you received
   this  transmittal  in error, please notify us immediately by reply and
   immediately delete this message and all its attachments. Thank you.

   Gesendet: Dienstag, 14. Mai 2013 um 19:49 Uhr
   Von: "Ivan Havlicek" <ivan at modulix.org>
   An: lvs-users at linuxvirtualserver.org
   Betreff: Re: [lvs-users] IPVS SYN-cookies -> IPVS security patch not 3.x
   Le 14/05/2013 08:51, Horst Venzke-Fa Remsnet Ltd a écrit :
   > Therefore - for IPVS security Obligations - the SNY Flood traffik should
   > stopped at the earlierst point : the IPVS systems its self.
   It is a view that I do not share.
   I prefer to use the solution to "limit" at the IPVS IP server and use
   the SYN Cookies on the real servers.
   Maybe I'm wrong, but I prefer distribute the attack on the real servers
   rather than take the risk of dropping the IPVS directorhimself.
   As the only way is to rewrite something which permit to do the SYNPROXY
   for kernel 3.x series, perhaps you should find another way to obtain
   this result. If there is a high risk of DoS in your case, perhaps
   putting some equipments to manage that before the IPVS server should be
   another good solution.
   Best regards
   Please read the documentation before posting - it's available at:
   LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
   Send requests to lvs-users-request at LinuxVirtualServer.org
   or go to [2]http://lists.graemef.net/mailman/listinfo/lvs-users


   1. http://www.linuxvirtualserver.org/
   2. http://lists.graemef.net/mailman/listinfo/lvs-users

More information about the lvs-users mailing list