Protecting yourself against a DDoS with varnish

Today we received another DDoS attack on of our clusters.

99% of the DDoS attacks we receive are floods on port 80, not really Syn Flood attacks, but just a large stream of garbage on port 80 from thousands of hosts. This results in Apache just spawning processes and eventually locking up.

About two weeks ago i read about Varnish, this high performance HTTP proxy also seems to be a real life-saver when it comes to DDoS attacks.

Since we were really out of options i gave Varnish a go and installed it on our webservers. I configured Apache to listen on and Varnish to listen on the public IP.

After doing this on 10 webservers i sat back and watched everything getting back to life!

This is because Varnish only forwards a HTTP request to the backend (Apache in this case) when it is complete, so this protects Apache from getting al the garbage and spawning useless childs.

So if you ever get a DDoS (and i really hope not!), keep Varnish in mind for saving yourself!

At the moment Varnish really looks like a permanent solution in our hosting envirioment, with some special Apache modules you can make it a transparant proxy, see: mod_extract_forwarded2

rtc timer problems when running Asterisk in KVM

For our VOIP we use Asterisk ( ). Recently we migrated the server from a physical machine to a KVM virtual machine under Ubuntu 9.04

When searching around i found some problems around running Asterisk in a VM, but there were also some succes stories.

I kept getting the message:
rtc: lost some interrupts at 1024Hz

I was able to solve this by disabling APIC for this virtual machine, i kept ACPI enabled.

Multipath iSCSI under Linux

Building a iSCSI Target (Server) under Linux is fairly simple, just install Enterprise iSCSI Target (IET) and you are ready. The Initiator (Client) is simple to, just use Open-iSCSI and you are ready to go, but how do you make this redundant?

When i first started using iSCSI i heard about the term “multipath”, i read that you could make a redundant IP link to your iSCSI Target with multipath, but how?

Searching on the web didn’t give me real practical anwsers. After using multipath for about 2 years now, i thought, why don’t i make a blog post about it so other people can have redundant iSCSI to!

For this example i have a iSCSI Target with two IP’s:


These IP’s given to eth0 and eth1, via two switches the connectivity is given to my initiator with the IP’s:


So there is a redundant network connection to the target, now we just have to start using this.

My target has as IQN: “”

I suppose you know how to configure IET and Open-iSCSI, so i’ll just skip the regular configuration. In this example my Target exports one LUN of 10GB.

On the client (Ubuntu 9.04 (Jaunty)) you have to install:

  1. open-iscsi
  2. multipath-tools

And that’s it, there is no configuration needed for multipath, this is all done dynamically.

Now we are going to discover the Target on both IP’s and log on to it:

iscsiadm -m discovery -t sendtargets -p
iscsiadm -m discovery -t sendtargets -p
iscsiadm -m node -T -p --login
iscsiadm -m node -T -p --login

The nicest thing about this is, that Multipath itself discovers that there is a redundant connection to a SCSI device and everything is done for you.

In “/dev/mapper” you’ll find (for example) “14945540000000000000000000100000099b2f8000f000000″and that is your multipath device.

You can list your multipath devices with:

multipath -ll

In my example this looked like:

14945540000000000000000000100000099b2f8000f000000dm-0 IET     ,VIRTUAL-DISK  
\_ round-robin 0 [prio=1][active]
 \_ 4:0:0:0 sdd 8:48  [active][ready]
\_ round-robin 0 [prio=1][enabled]
 \_ 3:0:0:0 sdc 8:32  [active][ready]

Multipath detected a redundant path for “sdc” and “sdd” and created a device which i could use.

If one of the connections goes down for what ever reason, you should see this in your dmesg:

[ 2070.285310] device-mapper: multipath: Failing path 8:32.

Multipath will then show:

sdc: checker msg is "directio checker reports path is down"
14945540000000000000000000100000099b2f8000f000000dm-0 IET     ,VIRTUAL-DISK  
\_ round-robin 0 [prio=1][active]
 \_ 4:0:0:0 sdd 8:48  [active][ready]
\_ round-robin 0 [prio=0][enabled]
 \_ 3:0:0:0 sdc 8:32  [failed][faulty]

Yes, you will see a lot of SCSI errors in your dmesg, but since you have a redundant path that is nothing to be worried about.

Just keep in mind, use “/dev/mapper/14945540000000000000000000100000099b2f8000f000000” as your block device for whatever you intent to use it!

Multipath in combination with iSCSI is really great, a simple network hickup will never get your services down and you can keep your network like a basic Layer-2 network, no STP is needed, the redundant paths can go over fully seperated links which decreases the chance for downtime!

Have fun using multipath!

My first post

This is just another personal blog on the big, big, big internet! I work as CTO at PCextreme B.V. and i will be posting a lot about my daily work.

Just like any other system administrator i run into problems i have to fix or some really undocumented software. Just like all other sysadmins i get a lot of information from various blogposts, so i thought, why not help other people by posting my information?

I’ll try to post as much as i can in english, but sometimes when the post is for dutch people only, i’ll make a post in dutch.

But most of my posts will be about Ubuntu Linux, KVM (Kernel Virtual Machine), iSCSI, DRBD, Apache, etc, etc. I’ll not try to post any information that can be found in a howto or documentation.

I hope i’ll be able to help some sysadmins in trouble!