Tuesday, October 21, 2014

iptables - How to tune Linux kernel to withstand DDoS? (HAProxy)



Please do not reply with "this is not possible", as it's waste of time. I am developing cloud appliance and I have a valid reason to protect this layer against DDoS, and there are few companies doing the same, so please dont tell me that I dont have the point, as many companies looking to buy this solution and I dont see the problem with implementing it using stock Linux



My Linux kernel is crashing with oops on 10.000 connections due to lack of resources like CPU and RAM. I was wondering how to limit it safely that it doesn't create tcp/ip connections in netfilter connection tracking table or elsewhere when somebody is trying to open 100.000 connections from various hosts?



The network card is 1GBps and with maxed buffers, it can take lot's of connections however I would like to have it to only 5.000 at the same time and the rest being dropped except when there are free connection slots. At the kernel level, so it doesn't pollute netfilter or anything, and it's dropped as soon as possible.

There are these factors:




  • Number of HAProxy connections is limited to only 5.000

  • Linux is crashing with 10.000 open connections

  • I want to withstand the 100.000 open connections every minute, so maybe netfilter can handle it, but no HAProxy.

  • The existing connections continue to operate



This is to make machine withstand DDoS attack without making oops, and as soon as attack goes off, the service recovers automatically the way that it continues to serve as normal at low rate.




This is about the physical layer of the server instance, not the switch. Assuming that switch is passing to me this much traffic I can handle, upstream provider does not always have possibility to adjust or to protect at all from this.


Answer



I don't agree that there isn't anything you can do. There are lots of things you can do and depending on the size of the attack and the size of the hardware you've got you stand a pretty good chance on defending yourself.



For SYN floods google a bit. You probably want a spanking new Linux kernel as there have been quite a few improvements lately. Go for 3.6 and enable syn cookies. There are a couple of other tunables you can tweak. Make sure to read up on it first as randomly tuning stuff is never a good idea and will cause problems.



If is is a HTTP flood, which is common these days you might want to consider Varnish. You might be able to identify the attacking requests by some pattern and kill them off in vcl_recv. You can deploy the shield module in order to kill of these connection as serving up an error page is a wasted effort. Be warned: This is not a quick fix and will require substantial effort on your end.



Good luck.



No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...