[21851] in bugtraq
Re: cisco local director DOS.
daemon@ATHENA.MIT.EDU (Rainer Nagel)
Wed Jul 25 15:24:49 2001
To: BUGTRAQ@netspace.org
From: Rainer.Nagel@dragon.angor.de (Rainer Nagel)
Date: 24 Jul 2001 21:55:42 GMT
Message-ID: <slrn9lrrmu.a8d.Rainer.Nagel@dragon.angor.de>
Reply-To: Rainer.Nagel@tashrah.com
Hi Bill,
On 24 Jul 2001 21:56:28 +0200,
Bill Robbins <robbins@hostopia.com> wrote:
> If your Cisco local directors are configured to do all port mappings (0:0)
> and not port-bound virtuals (port-to-port mappings), you can easily DOS
> the local director by causing the "no answer reassign" to surpass its
> default threshold counter of 8.
>
> By port scanning a 0:0 VIP where the real servers are not listening
> to all ports, you can easily cause the "no answer reassign" counter to
> surpass the threshold which takes the real machine out of service.
>
> During non-peak times when the amount of valid connections coming in
> are limited, the threshold does not reset itself in time. Once you have
> done this with all real servers in the VIP, the VIP will be unresponsive.
> You must reset the VIP to make it active again. This could be a harmful
> DOS on larger sites that have not configured their LDs correctly.
AFAIK the same applies to the SLB-Feature of the MSFC in Cisco Catalyst
6000 series.
My understanding was if all real servers are failed the load balancer
tries all regardless of their state. Maybe this applies only to the SLB
feature of the MSFC.
Ciao
--
Rainer Nagel
Rainer.Nagel@tashrah.com
Duesseldorfer Linux User Group - http://www.dlug.de
