Mailing List Archive

Strange interaction
I have an odd/strange/interesting situation that I am at a complete loss to
explain.

I have two serverirons, one with 50 servers, the other has 100 servers.
Serverirons are running on firmware version 07.3.05aT12 and are configured
with hand-off load balancing. All the servers are running stock RH 6.2. I
recently change the TCP syn-def parameter down to 2 seconds to battle some
ddos attacks. After the change, I started to have from 2 to 6 dead servers
in the morning, not just health-check dead, but completely kernel-panic type
dead. With nothing showing in the logs on the servers. They tended to go
down early to mid morning, all at different times and not the same servers
each day. This time of day is neither the highest nor lowest traffic period.
The 50 server lb, which handles about 3 times the number of requests as the
other had the problem in a greater degree.

I changed the parameter to 4 seconds and the problem went away.

Tarot cards and pigeon entrails have shed no light on this - does anybody
have any ideas on what could be happening here?

TIA,
Bill
Strange interaction [ In reply to ]
Hi,

Le Tue, Mar 04, 2003 at 03:07:00PM -0800 or thereabouts, Bill McCaffrey écrivait:
> All the servers are running stock RH 6.2. I
> recently change the TCP syn-def parameter down to 2 seconds to battle some
> ddos attacks. After the change, I started to have from 2 to 6 dead servers
> in the morning, not just health-check dead, but completely kernel-panic type
> dead.

Well you'd better upgrade your servers with a brand new kernel, 6.2
kernels should be running a bogus kernel tcp/ip stack.
cf: http://lists.insecure.org/lists/bugtraq/1996/May/0017.html

>
> Tarot cards and pigeon entrails have shed no light on this - does anybody
> have any ideas on what could be happening here?

I think you should try bugtraq it works better, and it saves pigeons.

Regards,
--
Jean Barbezat
"Every day, computers are making people easier to use."