lfd daemon does not seem to do Connection Tracking at CT_LIMIT specified interval
Posted: 24 Jul 2009, 16:14
Hello,
first of all, thank you for this great software.
I am running csf+lfd in production environment and I am overall very happy with it. It is easy to manage while powerful enough to supposedly do what I need.
I installed it to prevent SYN_RECV floooding at first, and it does the job.
But with the public release of slowloris, I see an increase in attempts to DoS my sites.
I decided to add the state ESTABLISHED to the CT_STATES value (previously just SYN_RECV) and have a friend test slowloris on me.
On 2 of my servers, I see the block in lfd.log less than a minute after the start of the attack, but on my third one, it does not seem to trigger, at all.
the process is sleeping, I see it block IPs from time to time, but no matter what, it won't see/block my friend, at least not in the delay that i ask it to. And considering apache dies in like 3 minutes max, I need it to trigger fast.
I am sure that the threshold is reached by running:
netstat -an | grep ESTABLISHED | grep xxx.yyy.zzz.aaa | wc -l
I see the number growing until it takes up all the slots and apache dies.
The 3 servers are running 4.75, debian lenny 5.0.2, they are quasi-identical (only CPU and RAM change). Ironically the one that fails is the big one, with 8 CPUs and 8 GBs of RAM.
Is there anything I could look into, in order to see why it fails to trigger?
-pill
first of all, thank you for this great software.
I am running csf+lfd in production environment and I am overall very happy with it. It is easy to manage while powerful enough to supposedly do what I need.
I installed it to prevent SYN_RECV floooding at first, and it does the job.
But with the public release of slowloris, I see an increase in attempts to DoS my sites.
I decided to add the state ESTABLISHED to the CT_STATES value (previously just SYN_RECV) and have a friend test slowloris on me.
On 2 of my servers, I see the block in lfd.log less than a minute after the start of the attack, but on my third one, it does not seem to trigger, at all.
the process is sleeping, I see it block IPs from time to time, but no matter what, it won't see/block my friend, at least not in the delay that i ask it to. And considering apache dies in like 3 minutes max, I need it to trigger fast.
I am sure that the threshold is reached by running:
netstat -an | grep ESTABLISHED | grep xxx.yyy.zzz.aaa | wc -l
I see the number growing until it takes up all the slots and apache dies.
The 3 servers are running 4.75, debian lenny 5.0.2, they are quasi-identical (only CPU and RAM change). Ironically the one that fails is the big one, with 8 CPUs and 8 GBs of RAM.
Is there anything I could look into, in order to see why it fails to trigger?
-pill
