RES: [load balancing] Re: Filter DOS Attacks

From: Claudio Rosa (crmrosaIZZATterra.com.br)
Date: Tue Sep 24 2002 - 06:43:56 EDT

  • Next message: tony bourke: "[load balancing] lb-l archives"

    Hi Emil,

    Like Peter and Julio said, the Alteon delayed-binding feature work fine. We
    test in our lab(GLOBO.COM) with 2 servers doing 30 Mbps of SYNAttack and 8
    servers with a LoadGenerator doing 250 Mbps of valid traffic, everything
    without problems. The attack add near to 10%¨of CPU in each of the 8
    processor A(the switch has 8 processors A("frontend"), 8 processors B
    ("backend") to the traffic, the port 9 processors don´t work for this, and 2
    others processors to the management).

    In the SLB solutions, the "delayed-binding" is a good solution for your
    problem. In the URLWCR(layer 7) we found some problems that we
    troubletickets opened in the NortelNetwork to solve them, anyway it is a
    good solution.

    Claudio Rosa

    -----Mensagem original-----
    De: owner-lb-lIZZATvegan.net [mailto:owner-lb-lIZZATvegan.net]Em nome de
    emilIZZATatrivo.com
    Enviada em: segunda-feira, 23 de setembro de 2002 17:26
    Para: lb-lIZZATvegan.net
    Assunto: RE: [load balancing] Re: Filter DOS Attacks

    Hi Tony,

    I was affraid of that, we have been doing exactly that having the upstream
    block the routes.. Also we are now switching to a provider called Internap
    JUST for the incoming because they route through all the 9 tier 1 providers
    and clame to stop DOS attacks.. We see what happens ;-)

    -----Original Message-----
    From: owner-lb-lIZZATvegan.net [mailto:owner-lb-lIZZATvegan.net]On Behalf Of
    tony bourke
    Sent: Monday, September 23, 2002 12:07 PM
    To: lb-lIZZATvegan.net
    Subject: RE: [load balancing] Re: Filter DOS Attacks

    Hi Emil,

    Yeah, If you've got a DOS attack that eats up all the incoming bandwidth
    you have available, there isn't any load balancer or any other network
    device that's gonig ot be able to handle that.

    The solution then needs to be upstream. I remember about 2 years ago when
    those icmp-based DDoS attacks were crippling major sites like yahoo, I
    believe all of the major network providers put a cap on icmp inbound on
    their respective peering routers. SYN is a little more difficult, since
    it's harder to differentiate between usefull and malicous traffic if it's
    distributed, but if it hits 100 Mbps there isn't anything the load
    balancer can do, since it's too late after it hits the line.

    Tony

    On Mon, 23 Sep 2002
    emilIZZATatrivo.com wrote:

    > It looks like it's a SYNFlood because out incoming goes up to the full
    > 100mbit and basically cripples the line. Thanks for the response awaiting
    > your next response how to combat these!
    >
    > Thanks!
    >
    > -----Original Message-----
    > From: owner-lb-lIZZATvegan.net [mailto:owner-lb-lIZZATvegan.net]On Behalf Of
    > Claudio Rosa
    > Sent: Monday, September 23, 2002 3:07 AM
    > To: lb-lIZZATvegan.net
    > Subject: RES: [load balancing] Re: Filter DOS Attacks
    >
    >
    > Hi,
    >
    > Each kind of attack needs one "different filter". For example, if you
    > enable the "manegement network" feature, the switch will not respond a
    > "ping", if you enable the "delayed bind" feature, the switch will do the
    > "three way handshake" to avoid "SYNFLOOD attack".
    >
    > What kind of attack are you thinking?
    >
    > Rgds,
    >
    > Cláudio Rosa
    >
    > -----Mensagem original-----
    > De: owner-lb-lIZZATvegan.net [mailto:owner-lb-lIZZATvegan.net]Em nome de
    > emilIZZATatrivo.com
    > Enviada em: sábado, 21 de setembro de 2002 22:04
    > Para: lb-lIZZATvegan.net
    > Assunto: [load balancing] Re: Filter DOS Attacks
    >
    >
    > Hey All,
    >
    > Anyone have any ideas of how to filter DOS attacks on the AD3? What are
    > some of you doing to prevent such attacks? Does it make sense to disable
    > ICMP?
    >
    > Thanks!
    >
    >
    > ____________________
    > The Load Balancing Mailing List
    > Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l
    > Archive: http://vegan.net/lb/archive
    > LBDigest: http://lbdigest.com
    > MRTG with SLB: http://vegan.net/MRTG
    > Hosted by: http://www.tokkisystems.com
    >
    >
    >
    > ____________________
    > The Load Balancing Mailing List
    > Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l
    > Archive: http://vegan.net/lb/archive
    > LBDigest: http://lbdigest.com
    > MRTG with SLB: http://vegan.net/MRTG
    > Hosted by: http://www.tokkisystems.com
    >
    > ____________________
    > The Load Balancing Mailing List
    > Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l
    > Archive: http://vegan.net/lb/archive
    > LBDigest: http://lbdigest.com
    > MRTG with SLB: http://vegan.net/MRTG
    > Hosted by: http://www.tokkisystems.com
    >

    --
    -------------- -- ---- ---- --- - - - -  -  -- -  -  -  -   -     -
    Tony Bourke				tonyIZZATvegan.net
    

    ____________________ The Load Balancing Mailing List Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l Archive: http://vegan.net/lb/archive LBDigest: http://lbdigest.com MRTG with SLB: http://vegan.net/MRTG Hosted by: http://www.tokkisystems.com

    ____________________ The Load Balancing Mailing List Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l Archive: http://vegan.net/lb/archive LBDigest: http://lbdigest.com MRTG with SLB: http://vegan.net/MRTG Hosted by: http://www.tokkisystems.com

    ____________________ The Load Balancing Mailing List Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l Archive: http://vegan.net/lb/archive LBDigest: http://lbdigest.com MRTG with SLB: http://vegan.net/MRTG Hosted by: http://www.tokkisystems.com



    This archive was generated by hypermail 2.1.4 : Tue Sep 24 2002 - 06:51:54 EDT