LoadMaster and Distributed Denial of Service (DDoS) attack

While the LoadMaster is currently not a replacement for your Firewall device, it is a hardened Linux appliance and can be help mitigate certain kinds of DDoS attacks as part of a well formed DiD strategy.

The LoadMaster can help block SYN floods. Since LoadMaster supports a backlog of 1024 SYN connections before enabling SYN cookies. The LoadMaster also supports something similar to TCP splicing/delayed binding; the L4 logic is handled by LVS/IPVS with a few enhancements and is a kind of splicing. When operating at Layer 7, the LoadMaster acts as a full proxy, terminating at the LoadMaster on both sides. This helps reduce the load on Real Servers from fake requests.

 

According to RFC 4987 (Section 4) - http://tools.ietf.org/html/rfc4987:

“Several vendors of commercial firewall products sell devices that can mitigate SYN flooding's effects on end hosts by proxying connections.”

 

Since LoadMaster supports Layer 7 full proxy it provides comparable mitigation to those devices. We do not have full numbers for a SYN flood situation, but 1800 SYN packets/second only generated 15% of CPU utilization of a LoadMaster 2200.

 

Example:

Using juno.c - http://www.packetstormsecurity.org/DoS/juno.c, an attack was run on a LoadMaster 2200, it was able to withstand over 60,000 SYN packets/second at 100% CPU utilization. Meanwhile, the Web Usr Interface (WUI) and Virtual Service both remained available though slowed. Since the LoadMaster does not pass half opened TCP connections, the LoadMaster will take the brunt of any such attack.

Was this article helpful?

0 out of 0 found this helpful

Comments