Overview | Features | Interface

The SpinBox Load Balancer and Denial of Service

The Problem

An entry is created for each new connection in order to keep its state. Each entry takes up memory. Without protection it is possible to run a server out of memory, causing a denial of service attack. The Spinbox Load Balancer has three different methods to prevent this from happening.

Drop Entry Method

The drop_entry defense is to randomly drop entries in the connection hash table, in order to collect memory for new connections. In the current code, the drop_entry procedure can be actived every second. Then, the Load Balancer randomly scans 1/32 of the entries and drops those that are in the SYN-RECV/SYNACK state. This has proved to be an effective defense against syn-flooding attacks.

Drop Packet Method

If the Load Balancer is under a distributed DoS attack, the drop_entry defense may not keep pace with the speed of the connection generation by the distributed DoS attack. The drop_packet defense is designed to drop 1/rate packets before forwarding them to real servers. If the rate is 1, then the Load Balancer drops all of the incoming packets.

Secure TCP Method

The secure_tcp defense uses a more complicated state transtition table and some possible short timeouts of each state. In the VS/NAT, it delays entering the ESTABLISHED state until the real server starts to send data and ACK packet (after 3-way handshake). This strategy allows configuration of the connection state timeouts for connections in the table.