So I was looking at a upstream that has been flooded from multiple locations and read that you can create what is called a blackhole within the upstream what helps with the DDoS scenario.
Here Is My upstream config :
upstream web_rack {
server 127.0.0.1:9000 weight=1 fail_timeout=4;
server 127.0.0.1:9001 weight=1 fail_timeout=4;
server 127.0.0.1:9002 weight=1 fail_timeout=4;
server 127.0.0.1:9003 weight=1 fail_timeout=4;
server 127.0.0.1:9004 weight=1 fail_timeout=4;
server 127.0.0.1:9005 weight=1 fail_timeout=4;
server 127.0.0.1:9006 weight=1 fail_timeout=4;
server 127.0.0.1:9007 weight=1 fail_timeout=4;
server 127.0.0.1:9008 weight=1 fail_timeout=4;
server 127.0.0.1:9009 weight=1 fail_timeout=4;
server 127.0.0.1:9010 weight=1 fail_timeout=4;
least_conn;
}
My question is how does a blackhole in the upstream help and work... is setting the "DOWN" state a permament 503 for all timed out upstream requests ?
And here is the upstream i read can act as a blackhole ( itpp2012 gets credit for this )
A simple configuration like:
upstream myLoadBalancer {
server 192.168.169.22:80 weight=1 fail_timeout=5;
server 192.168.169.17:80 weight=1 fail_timeout=5;
server 192.168.169.26:80 weight=1 fail_timeout=5;
server 192.168.169.23:80 weight=1 fail_timeout=5;
server 192.168.169.27:80 weight=1 fail_timeout=5 down;
server 192.168.169.28:80 weight=1 fail_timeout=5 down;
least_conn;
}
upstream myLoadBalancerDDOS {
server 127.0.0.1:8081 weight=1 fail_timeout=5;
server 127.0.0.1:8082 weight=1 fail_timeout=5;
server 127.0.0.1:8083 weight=1 fail_timeout=5 down;
server 127.0.0.1:8084 weight=1 fail_timeout=5 down;
server 127.0.0.1:8085 weight=1 fail_timeout=5 down;
server 192.168.169.254:80 weight=1 fail_timeout=5 down;
least_conn;
}
In myLoadBalancer you have set 2 extra backends ready for expanding capacity.
In myLoadBalancerDDOS you have set 2 backends (or internal redirects to 503 location blocks) to deal with attacks, a backend (...169.254:80) to serve as a blackhole and 3 more for expanding capacity.
Of course you can set as many backends and their destinations as you like, other webservers, faster blackholes, offloading addresses, swap between cloud providers, etc...
http://www.networkflare.com/