RE: [load balancing] Delayed Binding and Half Open Connections in Alteon AD3

From: <jon.hartman [izzat] verizon.com>
Date: Thu Feb 09 2006 - 11:53:57 EST

We were given the impression that the later versions of AlteonOS use
syn-cookies to prevent SYN floods and that an actual session isn't opened
until the ACK (third step of the handshake) is sent with the correct ACK #
hash. Is that the case?

-----Original Message-----
From: owner-lb-l@vegan.net [mailto:owner-lb-l@vegan.net] On Behalf Of Ken
Thurman
Sent: Thursday, February 09, 2006 8:53 AM
To: lb-l@vegan.net
Subject: Re: [load balancing] Delayed Binding and Half Open Connections in
Alteon AD3

David,

   That counter is historic counter so no need to worry. If one of your
VIP's was under a SYN flood attack using delayed bindings would protect
the real servers as the session is not bound to a real server until the
3-way TCP handshake has been completed. The switch will only wait for a
few seconds for the client to finish the 3-way handshake before it flushes
the connection. (I think it's 2 seconds but it could be 10
seconds) So unless the switch recieves enough SYN's in that period to fill
up the session table you are good.

As for a netstat command, it would not be very useful, but the session
table dump is. /inf/slb/sess Depending on the version of code you are
running you can dump based on CIP, DIP and other criteria or the whole
table with /inf/slb/sess/dump . To find out how to read the session table,
/inf/slb/sess/help will dump out the information on how to read it.

Regards,

Ken

--- "Rivera Alonso, David" <drivera@iberdrola.es>
wrote:

> From: "Rivera Alonso, David" <drivera@iberdrola.es>
> To: "'lb-l@vegan.net'" <lb-l@vegan.net>
> Subject: Delayed Binding and Half Open Connections in Alteon AD3
> Date: Thu, 9 Feb 2006 11:17:31 +0100
>
> Dear friends,
>
> I have a question about WebOS's SYN Attack Detection and Protection:
>
> After you enable Delayed Binding for a certain Virtual Service,
> there's a counter (Half Open Connections) in /stat/slb/layer7/maint
> that tracks the number of Started TCP Handshakes.
> I'd like to know if this is an "historic" or a "current state"
> counter.
> Our counter keeps growing since the activation of the Delayed Binding,
> and we want to know if there can be any risks (memory or cpu excessive
> consumption) associated with this counter.
> If it's just a "historic" counter then we won't be afraid, as we have
> no syslog messages about SYN Attack detection (more than 1000 half
> open connections per second).
>
> Besides, do you have any deeper information about "where" are these
> Half Open Connections stored until they become an stablished TCP
> connection in memory? And what happens if a real and dangeorus SYN
> Flood arrives to Alteon?
>
> And last question, is there anything similar to NETSTAT which can tell
> us about TCP sessions and their state (SYN_RECV,
> FIN_WAIT...)
>
> many thanks for everything and best regards from Spain,
>
> DAVID
> >
>
>
===============================================================
> Este mensaje se dirige exclusivamente a su destinatario. La
> informaci�n incluida en el presente correo es confidencial sometida
> a secreto profesional, especialmente en lo que respecta a los datos
> personales, cuya divulgaci�n est� prohibida, en virtud de la
> legislaci�n vigente. Si usted no lo es y lo ha recibido por error o
> tiene conocimiento del mismo por cualquier motivo, le rogamos que nos
> lo comunique por este medio y proceda a destruirlo o borrarlo, y que
> en todo caso se abstenga de utilizar, reproducir, alterar, archivar o
> comunicar a terceros el presente mensaje y ficheros anexos, todo ello
> bajo pena de incurrir en responsabilidades legales.
> Cualquier opini�n contenida en este correo es exclusiva de su autor
> y no representa necesariamente la opini�n de Iberdrola. El emisor no
> garantiza la integridad, rapidez o seguridad del presente correo, ni
> se responsabiliza de posibles perjuicios derivados de la captura,
> incorporaciones de virus o cualesquiera otras manipulaciones
> efectuadas por terceros.
>
>
> This message is intended for the exclusive attention of the
> addressee(s) indicated. Any information contained herein is strictly
> confidential and privileged, especially as regards personal data,
> which must not be disclosed, in accordance with legislation currently
> in force. If you are not the intended recipient and have received it
> by mistake or learn about it in any other way, please notify us by
> return e-mail and delete this message from your computer system. Any
> unauthorised use, reproduction, alteration, filing or sending of this
> message and/or any attached files to third parties may lead to legal
> proceedings being taken. Any opinion expressed herein is solely that
> of the author(s) and does not necessarily represent the opinion of
> Iberdrola. The sender does not guarantee the integrity, speed or
> safety of this message, not accept responsibility for any possible
> damage arising from the interception, incorporation of virus or any
> other manipulation carried out by third parties.
>
===============================================================

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com ____________________ The Load Balancing Mailing List
Unsubscribe: mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com

____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com
Received on Thu Feb 9 13:58:31 2006

This archive was generated by hypermail 2.1.8 : Thu Feb 09 2006 - 14:12:41 EST