Frequently Asked Questions

While LoadMaster is not a security device, it is a hardened Linux appliance and can be applied to help mitigate certain kinds of DDoS attack as part of a well formed DiD strategy.

LoadMaster can help block SYN floods. Since LoadMaster supports a backlog of 1024 SYN connections before enabling SYN cookies (http://en.wikipedia.org/wiki/SYN_cookies). LoadMaster also supports something similar to TCP splicing/delayed binding (http://en.wikipedia.org/wiki/Delayed_binding); our L4 logic is handled by LVS/IPVS with a few enhancements and is a kind of splicing. When operating at Layer 7, LoadMaster acts as a full proxy terminating at the LoadMaster on both sides. This helps reduce load on real servers from fake requests. According to RFC 4987 (Section 4) (http://tools.ietf.org/html/rfc4987)

“Several vendors of commercial firewall products sell devices that can mitigate SYN flooding's effects on end hosts by proxying connections.”

Since LoadMaster supports Layer 7 full proxy it provides comparable mitigation to those devices. We do not have full numbers for a SYN flood situation, but 1800 SYN packets/second only generated 15% of CPU utilization of a LoadMaster 2200. Using an attack script (juno.c - http://www.packetstormsecurity.org/DoS/juno.c), a LoadMaster 2200 and it was able to withstand over 60,000 SYN packets/second at 100% CPU utilization. Meanwhile, the web interface and virtual service both remained available though slowed. Since LoadMaster does not pass half opened TCP connections, so LoadMaster will take the brunt of any such attack.