settingsLogin | Registersettings

[Openstack-operators] Best practice against DDoS on openstack

0 votes

Hi all,

We’ve just recently been hit on by a low-level DDoS on one of our compute nodes. The attack was fulling our conntrack table while having no noticeable impact on our server load, which is why it took us a while to detect it. Is there any recommended practice regarding server configuration to reduce the impact of a DDoS on the whole compute node and thus, prevent it from going down? I understand that increasing the size of the conntrack table is one, but outside of that?

Best regards,

Jean-Philippe Méthot
Openstack system administrator
Administrateur système Openstack
PlanetHoster inc.


OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
asked Oct 24, 2017 in openstack-operators by Jean-Philippe_Methot (600 points)   1 2 3

2 Responses

0 votes

On 2017-10-24 20:18:30 +0900 (+0900), Jean-Philippe Méthot wrote:
We’ve just recently been hit on by a low-level DDoS on one of our
compute nodes. The attack was fulling our conntrack table while
having no noticeable impact on our server load, which is why it
took us a while to detect it. Is there any recommended practice
regarding server configuration to reduce the impact of a DDoS on
the whole compute node and thus, prevent it from going down? I
understand that increasing the size of the conntrack table is one,
but outside of that?

You might want to look into using iptables -j REJECT -m connlimit
--connlimit-above some threshold with matches for the individual
ports' addresses... I'm not a heavy on this end of operations but
others here probably know how to add hooks for something like that.
Of course this only moves the denial of service down to the
individual instance being targeted or used rather than knocking the
entire compute node offline (hopefully anyway), and is no substitute
for actual attack mitigation devices/services inline on the network.
--
Jeremy Stanley


OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

responded Oct 24, 2017 by Jeremy_Stanley (56,700 points)   3 5 7
0 votes

Similarly, if you have the capability in your compute gear you could do
SR-IOV and push the problem entirely into the instance (but then you miss
out on Neutron secgroups and have to rely entirely on in-instance
firewalls).

Cheers,

On 25 October 2017 at 01:41, Jeremy Stanley fungi@yuggoth.org wrote:

On 2017-10-24 20:18:30 +0900 (+0900), Jean-Philippe Méthot wrote:

We’ve just recently been hit on by a low-level DDoS on one of our
compute nodes. The attack was fulling our conntrack table while
having no noticeable impact on our server load, which is why it
took us a while to detect it. Is there any recommended practice
regarding server configuration to reduce the impact of a DDoS on
the whole compute node and thus, prevent it from going down? I
understand that increasing the size of the conntrack table is one,
but outside of that?

You might want to look into using iptables -j REJECT -m connlimit
--connlimit-above some threshold with matches for the individual
ports' addresses... I'm not a heavy on this end of operations but
others here probably know how to add hooks for something like that.
Of course this only moves the denial of service down to the
individual instance being targeted or used rather than knocking the
entire compute node offline (hopefully anyway), and is no substitute
for actual attack mitigation devices/services inline on the network.
--
Jeremy Stanley


OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

--
Cheers,
~Blairo


OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
responded Oct 24, 2017 by Blair_Bethwaite (4,080 points)   3 4
...