15 Dec
2014
15 Dec
'14
12:37 p.m.
Cau,
behem aktualniho vypadku node5.prg jsem si vsimnul ze doslo k
zaloopovani routingu:
7 78.102.13.33.static.b2b.upcbusiness.cz (78.102.13.33) 18.345 ms
15.667 ms 11.257 ms
8 cz-prg01a-ra4-vla2119.net.upc.cz (84.116.221.78) 9.942 ms 10.872
ms 10.674 ms
9 213.46.172.222 (213.46.172.222) 12.096 ms 213.46.180.18
(213.46.180.18) 11.938 ms 213.46.172.229 (213.46.172.229) 12.523 ms
10 cz-prg-asbr1-te0-0-0-5.dialtelecom.cz (82.119.252.105) 12.487 ms
14.653 ms 14.992 ms
11 master-gw.dialtelecom.cz (212.24.145.50) 14.333 ms 14.180 ms
14.004 ms
12 praha-4d-c1-vl260.masterinter.net (81.31.39.82) 23.238 ms 55.936
ms 62.881 ms
13 praha-4d-c1-vl128-vpsfree.masterinter.net (81.31.40.98) 34.070 ms
34.065 ms 34.029 ms
14 praha-4d-c1-vl128.masterinter.net (81.31.40.97) 65.664 ms 68.594
ms 48.617 ms
15 praha-4d-c1-vl128-vpsfree.masterinter.net (81.31.40.98) 11.639 ms
15.290 ms 15.274 ms
16 praha-4d-c1-vl128.masterinter.net (81.31.40.97) 48.856 ms 48.797
ms 48.378 ms
17 praha-4d-c1-vl128-vpsfree.masterinter.net (81.31.40.98) 16.499 ms
16.440 ms 24.008 ms
18 praha-4d-c1-vl128.masterinter.net (81.31.40.97) 42.477 ms 42.921
ms 42.380 ms
19 * * *
20 praha-4d-c1-vl128.masterinter.net (81.31.40.97) 40.163 ms 36.560
ms 36.508 ms
21 * praha-4d-c1-vl128-vpsfree.masterinter.net (81.31.40.98) 13.699 ms
9.331 ms
22 praha-4d-c1-vl128.masterinter.net (81.31.40.97) 146.441 ms 140.939
ms 129.520 ms
23 praha-4d-c1-vl128-vpsfree.masterinter.net (81.31.40.98) 15.748 ms
13.014 ms *
24 praha-4d-c1-vl128.masterinter.net (81.31.40.97) 120.222 ms 120.864
ms 120.865 ms
Predpokladam proto, ze jednotlive servery oznamuji kadresy OpenVZ
kontejneru dynamicky (asi OSPF). Tady bych si ale dovolil navrhnout
jednu upravu - na router vpsfree by to chtelo pridat routu na rozsahy ze
kterych jsou propagovany jednolive VPS jako blackhole (a pro jistotu
jeste s vetsi metrikou), tak aby ve chvili kdy vypadne routa ke
konkretniu VPS zacal router pakety zahazovat misto posilani ven default
routou. Protoze pokud by k padu serveru doslo v dusledku DDoS utoku,
stavajici nastaveni by monutnost utoku jeste znasobilo (zbyvajici
TTL/2*pocet paketu).
--
Stanislav Petr
glux(a)glux.org
stanislav(a)petr.email
+420 602 620 026