[pve-devel] [PATCH pve-firewall 0/2] Fix #2450: synflood protection
Alexandre Derumier
aderumier at odiso.com
Tue Nov 12 13:59:02 CET 2019
Currently, a virtio-net + vhost-net can handle between 200-300 kpps for each vm (with 1core/queue=1).
That mean than a vm can easily overloaded with a simple synflood (hping3 --flood -p 80 -S targetip).
Also the conntrack of the host can be saturated easily.
This patch introduce a new option, enable rate limiting of syn/s by src ip (protection_synflood:1).
rate limit can be set with : protection_synflood_rate (default 200 syn/s)
with an extra burst: protection_synflood_rate (default 1000).
It's also possible to reduce conntrack syn timeout: nf_conntrack_tcp_timeout_syn_recv (default 60).
with default values, a src ip can take around (60 * 200 = 12000 conntrack entries).
The iptables rules are done in raw table, before reaching the conntrack.
This protection works fine for non-spoofed src ip.
For spoofed src ip, the only way could be to implement SYNPROXY,
but this only works for routed/nat setup. (The host need to be able to reply
with the src ip the vm) and need https://bugzilla.proxmox.com/show_bug.cgi?id=2451
Some good information about synflood protections
https://2014.rmll.info/slides/356/day_1-1400-Jesper_Brouer-DDoS_protection_using_Netfilter_iptables.pdf
Alexandre Derumier (2):
iptables : add raw table support
add synflood protection
src/PVE/Firewall.pm | 180 +++++++++++++++++++++++++++-----
src/PVE/Service/pve_firewall.pm | 27 +++--
test/fwtester.pl | 10 +-
3 files changed, 175 insertions(+), 42 deletions(-)
--
2.20.1
More information about the pve-devel
mailing list