[f-nsp] Trying to filter bad traffic with serveriron.

Tom Samplonius tom at uniserve.com
Fri Dec 22 17:38:24 EST 2006


   If this is a ServerIronXL, you are probably best not to use the L7 feature for 
the sole purpose of blocking bot traffic.  The L7 features mean that a lot of 
the switching has to go through the CPU, rather than the ASIC.  In most cases, 
this will reduce the maximum performance from 60,000 connections per second, to 
10,000 or less, connections per second.

   Why not just create some empty files (cmd.exe) on the nodes, and let the 
web servers serve up empty files.  It is probably less load and less traffic on 
your network.

Tom

On Thu, 21 Dec 2006, supportnew at byethost.com wrote:

> Hi All,
>
> Please excuse the long post , however im trying to give as much
> information as possible initially
>
> Im 'hopeing' someone might be able  to help me with an issue im having
> with a Foundry Networks ServerIron
>
> SW: Version 07.3.05bT12 Copyright (c) 1996-2002 Foundry Networks, Inc.
>    Compiled on Oct 19 2002 at 14:06:16 labeled as SLB07305b
>
> I'm trying to url-switch some traffic initially to keep some bad bot
> traffic off my web servers which are behind the ServerIron LB.
>
> My config looks like.
>
> -----------------start config ------------------
>
>
> Current configuration:
> !
> ver 07.3.05bT12
> !
> !
> server force-delete
> server predictor round-robin
> server syn-def 6
> !
> url-map "abusefiles"
> method pattern
> default "letgoby"
> match "ip.txt" 1
> match "re39-ip.txt" 1
> match "fibi.txt" 1
> match "cmd.exe" 1
> match "root.exe" 1
> match ".scr" 1
> match "18.txt" 1
> match "config.htm" 1
> match "tec.mp3" 1
> match "imgtd.swf" 1
> !
> url-map "letgoby"
> default 0
> !
> !
> !
> !
> server monitor
> !
> server real node21 x.x.x.x
> port http
> port http keepalive
> port http url "HEAD /"
>
> port http content-match host2
> !
> server cache-name anchor x.x.x.x
> port http
> port http no-health-check
> port http url "HEAD /"
> port http l4-check-only
> port http group-id  1 1
> !
> server real node20 x.x.x.x
> port http
> port http keepalive
> port http url "HEAD /"
> port http content-match host2
> !
> server real node10 x.x.x.x
> port http
> port http keepalive
> port http url "HEAD /"
> port http content-match host2
> !
> server real node11 x.x.x.x
> port http
> port http keepalive
> port http url "HEAD /"
> port http content-match host2
> !
> server real node13 x.x.x.x
> port http
> port http keepalive
> port http url "HEAD /"
> port http content-match host2
> !
> server real node14 x.x.x.x
> port http
> port http keepalive
> port http url "GET http://node14.cluster.com/lbtest.php"
> port http content-match host2
> !
> server real node15 x.x.x.x
> port http
> port http keepalive
> port http url "GET http://node15.cluster.com/lbtest.php"
> port http content-match host2
> !
> server real node16 x.x.x.x
>
>
> port http
> port http keepalive
> port http url "GET http://node16.cluster.com/lbtest.php"
> port http content-match host2
> !
> server real node17 x.x.x.x
> port http
> port http keepalive
> port http url "GET http://node17.cluster.com/lbtest.php"
> port http content-match host2
> !
> server real node18 x.x.x.x
> port http
> port http keepalive
> port http url "GET http://node18.cluster.com/lbtest.php"
> port http content-match host2
> !
> server real node1 x.x.x.x
> port http
> port http keepalive
> port http url "GET http://node1.cluster.com/index.html"
> port http content-match host
> !
> server real node2 x.x.x.x
> port http
> port http keepalive
> port http url "GET http://node2.cluster.com/index.html "
> port http content-match host
> !
> server real node3 x.x.x.x
> port http
> port http keepalive
> port http url "GET http://node3.cluster.com/index.html "
> port http content-match host
> !
> server real node4 x.x.x.x
> port http
> port http keepalive
> port http url "GET http://node4.cluster.com/index.html"
> port http content-match host
> !
> server real node5 x.x.x.x
> port http
> port http keepalive
> port http url "GET http://node5.cluster.com/index.html"
> port http content-match host
> !
> server real node6 x.x.x.x
> port http
> port http keepalive
> port http url "GET http://node6.cluster.com/index.html "
> port http content-match host
> !
> server real node7 x.x.x.x
> port http
> port http keepalive
> port http url "GET http://node7.cluster.com/index.html "
> port http content-match host
> !
> !
> server virtual host x.x.x.x
> predictor least-conn
> port http sticky
> bind http node20 http node10 http node11 http node13 http
> bind http node14 http node15 http node16 http node17 http
> bind http node18 http node21 http
> !
> server virtual host2 x.x.x.x
> predictor least-conn
> port http sticky
> bind http node1 http node2 http node3 http node4 http
> bind http node5 http node6 http node7 http
> !
> server cache-group 1
> cache-name anchor
> url-map abusefiles
> no-group-failover
> no http-cache-control
> url-switch
> !
> !
> vlan 1 name DEFAULT-VLAN by port
> !
> enable telnet password .....
> enable super-user-password .....
> hostname ByetLB
> ip tcp burst-normal 15 burst-max 25 lockup 400
> ip address x.x.x.x 255.255.255.0
> ip default-gateway x.x.x.x
> ip dns server-address x.x.x.x
> ip policy 1 cache tcp http global
> ip policy 2 cache tcp 0 global
> http match-list host
> default down
> up simple "pattern match 2"
> http match-list host2
> default down
> up simple "pattern match 1"
>
> snmp-server community ..... rw
>
> -------- end config ------------
>
>
> When this config is in place, I see connections going to the cache server
>
> ----------------------------------------------------------------------------------------------------------
>
> #show server
> node21              6         30       2799          0
> 334         45
> anchor              6       6637      37625          0      13274
> 6639
> node20              6         29       4286          0
> 356         57
> ----------------------------------------------------------------------------------------------------------
>
>
> and
>
> ----------------------------------------------------------------------------------------------------------
>
> #show cache-group
>
> Cache Server Name                Admin-status Hash-distribution
> anchor                           6            0
>
> HTTP Traffic  From <-> to  Web-Caches
>
> Name: anchor          IP: x.x.x.x    State: 6   Groups =   1
>
>                                  Host->Web-cache       Web-cache->Host
>                      State   CurConn TotConn Packets    Octets
> Packets    Octets
> Client             active  6637    37669   16         1088
> 45         2700
> Web-Server    active  0           0           0          0
> 0          0
> Total                           6637    37669   16         1088
> 45         2700
> ------------------------------------------------------------------------------------------------------
>
>
> shows packets going back / forward from the cache-group
>
> The cache-server anchor is pingable from the load balancer, and is
> running a http server (which can not server the requested content)
>
> When I try to browse to a file in the url-map (say 18.txt), the file is
> served (not what I wanted) , and after 10 / 15 minutes of running in
> this config ,  lots of genuine web requests start to get a dreaded "The
> connection to the server was reset while the page was loading." error
> (eeeek) .
>
> This is driving me crazy, as to my knowledge (and it is slim with this
> Load Balancer)  , the config looks good .
>
> Can anyone help me here (despair is about to begin !!     :/   )  Or
> maybe point to to somewhere where this question might be able to be
> responded to (pretty please with a cherry on the top !!)
>
> Many Thanks in advance
> Kevin Myers
>
>
>
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>



More information about the foundry-nsp mailing list