[Openstack-operators] Best practice against DDoS on openstack

Jeremy Stanley fungi at yuggoth.org
Tue Oct 24 14:41:42 UTC 2017


On 2017-10-24 20:18:30 +0900 (+0900), Jean-Philippe Méthot wrote:
> We’ve just recently been hit on by a low-level DDoS on one of our
> compute nodes. The attack was fulling our conntrack table while
> having no noticeable impact on our server load, which is why it
> took us a while to detect it. Is there any recommended practice
> regarding server configuration to reduce the impact of a DDoS on
> the whole compute node and thus, prevent it from going down? I
> understand that increasing the size of the conntrack table is one,
> but outside of that?

You might want to look into using iptables -j REJECT -m connlimit
--connlimit-above some threshold with matches for the individual
ports' addresses... I'm not a heavy on this end of operations but
others here probably know how to add hooks for something like that.
Of course this only moves the denial of service down to the
individual instance being targeted or used rather than knocking the
entire compute node offline (hopefully anyway), and is no substitute
for actual attack mitigation devices/services inline on the network.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20171024/5d4855e4/attachment.sig>


More information about the OpenStack-operators mailing list