RE: [load balancing] Delayed Binding and Half Open Connections in Alteon AD3

From: Ken Thurman <thudinga [izzat] yahoo.com>
Date: Thu Feb 09 2006 - 16:51:03 EST

Yes, I stand corrected.

Ken

--- Peter Degrassi <degrassi@layer227.com> wrote:

> You're correct Jon. It's a syn-cookie mechanism,
> session entries are not created on just the SYN
> packet when dbind is enabled. The TCP handshake
> must complete before a session entry is created.
>
> Peter
>
> -----Original Message-----
> From: owner-lb-l@vegan.net
> [mailto:owner-lb-l@vegan.net] On Behalf Of
> jon.hartman@verizon.com
> Sent: Thursday, February 09, 2006 11:54 AM
> To: lb-l@vegan.net
> Subject: RE: [load balancing] Delayed Binding and
> Half Open Connections in Alteon AD3
>
> We were given the impression that the later versions
> of AlteonOS use syn-cookies to prevent SYN floods
> and that an actual session isn't opened until the
> ACK (third step of the handshake) is sent with the
> correct ACK # hash. Is that the case?
>
> -----Original Message-----
> From: owner-lb-l@vegan.net
> [mailto:owner-lb-l@vegan.net] On Behalf Of Ken
> Thurman
> Sent: Thursday, February 09, 2006 8:53 AM
> To: lb-l@vegan.net
> Subject: Re: [load balancing] Delayed Binding and
> Half Open Connections in Alteon AD3
>
> David,
>
> That counter is historic counter so no need to
> worry. If one of your VIP's was under a SYN flood
> attack using delayed bindings would protect the real
> servers as the session is not bound to a real server
> until the 3-way TCP handshake has been completed.
> The switch will only wait for a few seconds for the
> client to finish the 3-way handshake before it
> flushes the connection. (I think it's 2 seconds but
> it could be 10
> seconds) So unless the switch recieves enough SYN's
> in that period to fill up the session table you are
> good.
>
> As for a netstat command, it would not be very
> useful, but the session table dump is. /inf/slb/sess
> Depending on the version of code you are running you
> can dump based on CIP, DIP and other criteria or the
> whole table with /inf/slb/sess/dump . To find out
> how to read the session table, /inf/slb/sess/help
> will dump out the information on how to read it.
>
> Regards,
>
> Ken
>
> --- "Rivera Alonso, David" <drivera@iberdrola.es>
> wrote:
>
> > From: "Rivera Alonso, David"
> <drivera@iberdrola.es>
> > To: "'lb-l@vegan.net'" <lb-l@vegan.net>
> > Subject: Delayed Binding and Half Open Connections
> in Alteon AD3
> > Date: Thu, 9 Feb 2006 11:17:31 +0100
> >
> > Dear friends,
> >
> > I have a question about WebOS's SYN Attack
> Detection and Protection:
> >
> > After you enable Delayed Binding for a certain
> Virtual Service,
> > there's a counter (Half Open Connections) in
> /stat/slb/layer7/maint
> > that tracks the number of Started TCP Handshakes.
> > I'd like to know if this is an "historic" or a
> "current state"
> > counter.
> > Our counter keeps growing since the activation of
> the Delayed Binding,
> > and we want to know if there can be any risks
> (memory or cpu excessive
> > consumption) associated with this counter.
> > If it's just a "historic" counter then we won't be
> afraid, as we have
> > no syslog messages about SYN Attack detection
> (more than 1000 half
> > open connections per second).
> >
> > Besides, do you have any deeper information about
> "where" are these
> > Half Open Connections stored until they become an
> stablished TCP
> > connection in memory? And what happens if a real
> and dangeorus SYN
> > Flood arrives to Alteon?
> >
> > And last question, is there anything similar to
> NETSTAT which can tell
> > us about TCP sessions and their state (SYN_RECV,
> > FIN_WAIT...)
> >
> > many thanks for everything and best regards from
> Spain,
> >
> > DAVID
> > >
> >
> >
>
===============================================================
> > Este mensaje se dirige exclusivamente a su
> destinatario. La
> > informaci�n incluida en el presente correo es
> confidencial sometida
> > a secreto profesional, especialmente en lo que
> respecta a los datos
> > personales, cuya divulgaci�n est� prohibida,
> en virtud de la
> > legislaci�n vigente. Si usted no lo es y lo ha
> recibido por error o
> > tiene conocimiento del mismo por cualquier motivo,
> le rogamos que nos
> > lo comunique por este medio y proceda a destruirlo
> o borrarlo, y que
> > en todo caso se abstenga de utilizar, reproducir,
> alterar, archivar o
> > comunicar a terceros el presente mensaje y
> ficheros anexos, todo ello
> > bajo pena de incurrir en responsabilidades
> legales.
> > Cualquier opini�n contenida en este correo es
> exclusiva de su autor
> > y no representa necesariamente la opini�n de
> Iberdrola. El emisor no
> > garantiza la integridad, rapidez o seguridad del
> presente correo, ni
> > se responsabiliza de posibles perjuicios derivados
> de la captura,
> > incorporaciones de virus o cualesquiera otras
> manipulaciones
> > efectuadas por terceros.
> >
> >
> > This message is intended for the exclusive
> attention of the
> > addressee(s) indicated. Any information contained
> herein is strictly
> > confidential and privileged, especially as regards
> personal data,
> > which must not be disclosed, in accordance with
> legislation currently
> > in force. If you are not the intended recipient
> and have received it
> > by mistake or learn about it in any other way,
> please notify us by
> > return e-mail and delete this message from your
> computer system. Any
> > unauthorised use, reproduction, alteration, filing
> or sending of this
> > message and/or any attached files to third parties
> may lead to legal
> > proceedings being taken. Any opinion expressed
> herein is solely that
> > of the author(s) and does not necessarily
> represent the opinion of
> > Iberdrola. The sender does not guarantee the
> integrity, speed or
> > safety of this message, not accept responsibility
> for any possible
> > damage arising from the interception,
> incorporation of virus or any
> > other manipulation carried out by third parties.
> >
>
===============================================================
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam
> protection around http://mail.yahoo.com
> ____________________ The Load Balancing Mailing List
> Unsubscribe:
> mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
> Archive: http://vegan.net/lb/archive
> LBDigest: http://lbdigest.com
> MRTG with SLB: http://vegan.net/MRTG
> Hosted by: http://www.tokkisystems.com
>
>
>
>
> ____________________
> The Load Balancing Mailing List
> Unsubscribe:
> mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
> Archive: http://vegan.net/lb/archive
> LBDigest: http://lbdigest.com
> MRTG with SLB: http://vegan.net/MRTG
>
=== message truncated ===

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com
Received on Thu Feb 9 18:56:31 2006

This archive was generated by hypermail 2.1.8 : Thu Feb 09 2006 - 19:09:56 EST