Spoofing addres SYN Flood

iqiyi / dpvs

DPVS is a high performance Layer-4 load balancer based on DPDK.

Other

3k stars 723 forks source link

Spoofing addres SYN Flood #198

Closed ba0f3 closed 6 years ago

ba0f3 commented 6 years ago

Im using default dpvs.conf.single-nic.sample, with a director and fnat to a real server Im facing about 2Mpps spoofing address syn flood, and I got a lot of message bellow:

NEIGHBOUR: [neigh_resolve_output] arp_unres_queue is full, drop packet

Is there any config tweak to handle the requests?

beacer commented 6 years ago

Tks for your test. To address ARP flood on Linux, we can use static ip-mac bonding, static arp has higher priority, and than ignore ARP request on that Linux interface. DPVS also support static ARP bonding, but do not support ARP ignore or ARP priority. We will consider to support that features. Thanks.

mscbg commented 6 years ago

"NEIGHBOUR: [neigh_resolve_output] arp_unres_queue is full, drop packet"; This log means mbuf queue of a neighbour entry is full and perhaps dpvs got no arp response. Can you show me your configuration? Do like this: ipvsadm -ln dpip route show dpip addr show

When syn flood is running, run this command: dpip neigh show

ba0f3 commented 6 years ago

VIP: 172.16.1.2 LIP 172.16.1.1 RS: 172.16.1.3

root@lb:~# ipvsadm -ln
IP Virtual Server version 0.0.0 (size=0)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  172.16.1.2:22 rr synproxy
  -> 172.16.1.3:22           FullNat 1      0          0

root@lb:~# dpip route show
inet 172.16.1.1/32 via 0.0.0.0 src 0.0.0.0 dev dpdk0.2 mtu 1500 tos 0 scope host metric 0 proto auto 
inet 172.16.1.2/32 via 0.0.0.0 src 0.0.0.0 dev dpdk0.2 mtu 1500 tos 0 scope host metric 0 proto auto 
inet 0.0.0.0/0 via 172.16.1.254 src 172.16.1.1 dev dpdk0.2 mtu 1500 tos 0 scope global metric 0 proto auto 
root@lb:~# dpip addr show
inet 172.16.1.1/32 scope global dpdk0.2
     valid_lft forever preferred_lft forever sa_used 3381 sa_free 1028795 sa_miss 0
inet 172.16.1.2/32 scope global dpdk0.2
     valid_lft forever preferred_lft forever

root@lb:~# dpip neigh show
ip: 172.16.1.2      mac: 00:00:00:00:00:00      mbuf: 0 
ip: 172.16.1.254      mac: 64:87:88:b8:xx:xx      mbuf: 0

mscbg commented 6 years ago

Is 172.16.1.1 and 172.16.1.3 connected directly? You should better add a route like 172.16.1.2/24. Also, it's better to have a address which include its net. You can try 'dpip addr add 172.16.1.4/24 dev dpdk0.2' or you can just add local ip like this.

ba0f3 commented 6 years ago

yes all IPs are connected directly. thank you! I will try it

ba0f3 commented 6 years ago

I did as your suggestion and survived another ddos attack, thank you very much! btw, you should add ddos-protection, anti-ddos tags to tag list.