[lvs-users] IPVS SYN-cookies -> IPVS security patch not 3.x kernels

Ivan Havlicek ivan at modulix.org
Thu May 16 00:51:33 BST 2013

Le 14/05/2013 21:04, Horst Venzke-Fa Remsnet Ltd a écrit :
> So the  SNY traffik PASSED the LB servers to real    AND BACK The
> real servers Over-FLOOD the LB (IPVS ) systems with traffik amounts
> they not shuold. And exacly for that the 2.6x  SYNPROXY IPVS patch
> was made years ago.

I use also IPVS with NAT for some years now. So, I know the hype of SYN

But, as it is very difficult to prevent some attack like :

# hping3 --data 666 --syn --destport 80 --flood --rand-source IP_POOR_VICTIM

only with SYN cookie, I prefer use another strategy for these issue.
In some words, each IPVS director have iptables rules and act as
Stateful firewall.
The rules concerning NEW connections are limited (number need to be
tuned) by sec.
The goal is to make grow conntrack tables more slowly, combined with a
low TCP time to live :

ipvsadm --set 2 5 5

So under pressure, the ipvs server have time purge his list enough quickly.
After some tests, I add also some hand made scripts to ban by MAC address
to much hurry up clients (tail -f /var/log/kernel.log) :

iptables -A INPUT -i eth0 -p tcp -m limit --limit 15/minute -j LOG
--log-level alert --log-prefix "INPUT:DROP "

For now, it's the best way i've found to deal with this.
In fact, my best advice is to not have ennemy...
I guess that in case of massive attack (some Go/s from multiples sources),
it'll be very hard to not disturb the web service :-(

Well, I'm a poor alone cowboy with my Gentoo, and I agree,
something better should be made !

> Right , to have an Firewall ( Cluster..)  in front of an Webfarm ,
> are allways an Major solution .

I'm looking for some feed back about a PfSense cluster, you're welcome ;-)
My 2cts.
Ivan Havlicek

More information about the lvs-users mailing list