[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-virtual-server
Subject:    Re: udp flood tool crashes LVS-NAT from the inside
From:       Graeme Fowler <graeme () graemef ! net>
Date:       2004-11-06 12:00:35
Message-ID: Pine.LNX.4.44.0411061155480.16316-100000 () server ! graemef ! net
[Download RAW message or body]

On Sat, 6 Nov 2004, Mickey Everts wrote:
> Today I had an incident at work where an attacker used a PHP exploit to grab
> the following script and run it from one of our "real servers" (running as
> apache's permissions):
> http://www.packetstormsecurity.org/DoS/udp.pl

Ouch. Common, sadly, but ouch.

> This rather short script brought our LVS box, a 3 GHz Pentium 3 system with
> dual gigabit interfaces, to its knees.  Note that it's actually connected to
> a 100megabit interface.  Obviously we want to secure our real servers, but
> is there any way to stop this kind of thing from killing our LVS server so
> easily?

You could not only "harden" your systems, but also consider using the iptables 
'limit' module and/or Linux QoS tools to limit arbitrary outbound traffic. If 
you know that your webserver isn't going to initiate outbound connections, for 
example, you can create policies to squash packet and bit rates from arbitrary 
ports without breaking Apache's return traffic.

I've seen gigabit-connected servers (and 100 meg, too) bring entire Cisco 
based networks to their knees in a matter of seconds simply by creating floods 
of tens (or hundreds) of thousands of packets per second. Everything has a 
limit as to how many packets it can shovel, and if you hit that limit then 
things start to break.

In a nutshell, the short answer is no!

Graeme

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://www.in-addr.de/mailman/listinfo/lvs-users
[prev in list] [next in list] [prev in thread] [next in thread]