Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 10 Jan 2003 12:04:09 -0800
From:      Terry Lambert <tlambert2@mindspring.com>
To:        nbari@unixmexico.com
Cc:        freebsd-isp@freebsd.org
Subject:   Re: DOS attack
Message-ID:  <3E1F2739.7BBFB04F@mindspring.com>
References:  <10497.148.243.246.5.1042225375.squirrel@mail.unixmexico.com>

next in thread | previous in thread | raw e-mail | index | archive | help
nbari@unixmexico.com wrote:
> Hi was victim of a DOS attack, my server was out for about 5 hours,
> services like web and email where down.
> 
> I am using round robind dns for a load balancing, but this only help for
> my web services, any idea on how can i make a redundant service for web
> and email services? something like mysql does with his replication
> function?

SMTP is handled via MX records in your DNS; just set up backup
mail exchangers.

POP3/IMAP4 is problematic.  The data there has locality on the
server, and there's no way, short of storing you data in a shared
storage area, to guarantee accessability from more than one front
end server.  One possible approach is to use a small proxy, and
when the proxy server is DDOS'ed, just switch over to a different
proxy server.  This works better for IMAP (persistant connections)
than for POP3 (new conection on each download attempt). 

In any implementation, your "real" back end servers should only be
reachable from the fornt end servers, so that a DDOS on one back
end server does not starve a bunch of front end servers.

The typical way this is handled is by buying a load balancer and
configuring it to act as a "circuit breaker".

This assumes that the load balancer knows how to shed load
properly, such that it won't livelock, and can't be overwhelmed
(e.g. RED-queuing, etc.).


> I don't want to use hardware only software

Looks like you are going to be spending money on rack space and
PCs doing no useful work, other than running proxies.  You can
get an IMAP4 proxy from the Cyrus project; there are POP3
proxies out there (search for them), or you can write your own.

-- Terry

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E1F2739.7BBFB04F>