From owner-freebsd-isp Fri Jan 10 12:54:52 2003 Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F66837B401 for ; Fri, 10 Jan 2003 12:54:50 -0800 (PST) Received: from clover.kientzle.com (user-112uh9a.biz.mindspring.com [66.47.69.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id B24BE43F18 for ; Fri, 10 Jan 2003 12:54:49 -0800 (PST) (envelope-from kientzle@acm.org) Received: from acm.org (c43 [66.47.69.43]) by clover.kientzle.com (8.11.3/8.11.3) with ESMTP id h0AKskE64956; Fri, 10 Jan 2003 12:54:46 -0800 (PST) (envelope-from kientzle@acm.org) Message-ID: <3E1F3312.8070605@acm.org> Date: Fri, 10 Jan 2003 12:54:42 -0800 From: Tim Kientzle Reply-To: kientzle@acm.org User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.6) Gecko/20011206 X-Accept-Language: en-us, en MIME-Version: 1.0 To: nbari@unixmexico.com Cc: freebsd-isp@FreeBSD.ORG Subject: Re: DOS attack References: <10497.148.243.246.5.1042225375.squirrel@mail.unixmexico.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org nbari@unixmexico.com wrote: > I am using round robind dns for a load balancing, but this only help for > my web services Round robin DNS is a simple way to distribute load, but it doesn't do it very evenly and provides no failover. (Each client only sees one of your IP addresses; if that server is inaccessible for any reason, those clients won't be able to connect.) Also, remember that if a DoS attack is saturating your link(s), then there's nothing you can do at your end. If there's no bandwidth for legitimate requests, then they won't be able to reach your server. However, with careful firewalling and load-testing, you should be able to ensure that your servers don't actually crash during an attack. How you handle this will depend on your bandwidth, of course; if you have a 384kbps DSL line, then a spare PC running ipfw should be able to handle your firewall requirements. If you have multiple T3s, then you'll need something more robust. > .. any idea on how can i make a redundant service for web > and email services? something like mysql does with his replication > function? Set up multiple MX records for email pointing to various servers. Each of those forwards to a common back-end mailbox server. If those servers are on different subnets with independent connections, that's even better. Redundant web services depends a lot on your particular application architecture. Static data is easy to replicate; it's also easy to set up redundant application servers against a shared database. Replicating live data over a distance in real-time? That's hard. Tim Kientzle To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message