[Openstack-operators] Best practice against DDoS on openstack

Blair Bethwaite blair.bethwaite at gmail.com
Tue Oct 24 22:54:20 UTC 2017

Similarly, if you have the capability in your compute gear you could do
SR-IOV and push the problem entirely into the instance (but then you miss
out on Neutron secgroups and have to rely entirely on in-instance


On 25 October 2017 at 01:41, Jeremy Stanley <fungi at yuggoth.org> wrote:

> On 2017-10-24 20:18:30 +0900 (+0900), Jean-Philippe Méthot wrote:
> > We’ve just recently been hit on by a low-level DDoS on one of our
> > compute nodes. The attack was fulling our conntrack table while
> > having no noticeable impact on our server load, which is why it
> > took us a while to detect it. Is there any recommended practice
> > regarding server configuration to reduce the impact of a DDoS on
> > the whole compute node and thus, prevent it from going down? I
> > understand that increasing the size of the conntrack table is one,
> > but outside of that?
> You might want to look into using iptables -j REJECT -m connlimit
> --connlimit-above some threshold with matches for the individual
> ports' addresses... I'm not a heavy on this end of operations but
> others here probably know how to add hooks for something like that.
> Of course this only moves the denial of service down to the
> individual instance being targeted or used rather than knocking the
> entire compute node offline (hopefully anyway), and is no substitute
> for actual attack mitigation devices/services inline on the network.
> --
> Jeremy Stanley
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20171025/1e55c37a/attachment.html>

More information about the OpenStack-operators mailing list