Similarly, if you have the capability in your compute gear you could do SR-IOV and push the problem entirely into the instance (but then you miss out on Neutron secgroups and have to rely entirely on in-instance firewalls).
Cheers, On 25 October 2017 at 01:41, Jeremy Stanley <[email protected]> wrote: > On 2017-10-24 20:18:30 +0900 (+0900), Jean-Philippe Méthot wrote: > > We’ve just recently been hit on by a low-level DDoS on one of our > > compute nodes. The attack was fulling our conntrack table while > > having no noticeable impact on our server load, which is why it > > took us a while to detect it. Is there any recommended practice > > regarding server configuration to reduce the impact of a DDoS on > > the whole compute node and thus, prevent it from going down? I > > understand that increasing the size of the conntrack table is one, > > but outside of that? > > You might want to look into using iptables -j REJECT -m connlimit > --connlimit-above some threshold with matches for the individual > ports' addresses... I'm not a heavy on this end of operations but > others here probably know how to add hooks for something like that. > Of course this only moves the denial of service down to the > individual instance being targeted or used rather than knocking the > entire compute node offline (hopefully anyway), and is no substitute > for actual attack mitigation devices/services inline on the network. > -- > Jeremy Stanley > > _______________________________________________ > OpenStack-operators mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > -- Cheers, ~Blairo
_______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
