On Tue, Sep 25, 2012 at 2:02 PM, Jack Neely <[email protected]> wrote:
> My network engineers tell me that the firewall in one DC had 8000 > concurrent connections from the offending IP address to the KDCs and > 4000 in the second DC. (Oddly, the DC with only 1 slave.) The KDCs > weren't able to handle other requests until the spike settled. > Well then, that's the place where you should apply a limit. iptables -A INPUT -p tcp --dport 88 -m limit --limit 4/min --limit-burst > 6 -j ACCEPT > iptables -A INPUT p tcp --dport 88 -j DROP > The problem with a rule like that is that the attack succeeds: you are dropping arbitrary requests from arbitrary users. It's the exact same effect as just letting the server get overwhelmed. Another problem is that you are limiting TCP whereas Kerberos will use UDP. UDP plays havoc with firewalls, and as Russ points out, that's where the problem is likely to really lie. 8000 concurrent "connections" from one host is symptomatic of a firewall problem. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
