Any way to determine if a load balancer is being used on a site?

load-balancing

Solution 1:

EDIT: This will be very difficult to do if not impossible (dislike for that word) since the whole point of having a LoadBalancer is to make the client's interaction with it transparent and basically invisible. That being said, here is my original post:

I administer a load balancer for a rather large site. The only indication that our visitors have that they are visiting any specific application server is that we actually put the specific name of the server at the bottom of their login page. This helps us troubleshoot issues that they have.

Other than that I can think of only one thing that would "key" you into the fact that we are running a load balancer if we didn't follow that policy. Here's how you could tell but it'll take some luck.

Say that the load balancer is set to forward all traffic to either one server or another. Or at least it forwards ssh traffic between one server to another. Even though you probably don't have log in cred to log into either box, both will provide you with a different key should you attempt to log in. So if you attempt to log in via ssh the first time you'll be asked if you want to accept the key. Then if you get lucky on the second or third request you'll be told that there is a different key (ie it's another box). On a *nix system you're often alerted that this might be due to a man in the middle attack.

So two things have to be in place:

  1. SSH on remote server
  2. LB of SSH

So if you get two keys in a relatively short period of time you can probably assume that the sys admin hasn't changed them but rather that you've just communicated with two separate machines behind a load balancer.

Note: there is one other item but it's a real shot in the dark. You could attempt to figure out what block of IP's that this server was grouped with. Then let's say that on one of these particular IP address is placed on the LB (in fact it is on one of these IPs).

The Load Balancer is placed at XXX.XXX.XXX.5 for instance. The LB will then be set up to capture all traffic for at least one additional IP address. It typically does not forward traffic for XXX.XXX.XXX.5 (the commercial hardware I have definitely doesn't do this). So you can count on there being and admin address.

If the LB is set up to allow admin from all external hosts you may be able to apend something like /admin to the ip addresses until you find the LB. This assumes that the LB uses that path for administration.

Solution 2:

There is no determinative way, but there are a grab bag of clues you can look for.
- nmap it. nmap can give some clues on the OS of whatever device you're talking to. If it says BSD and the url's end in .aspx you're onto something.
- cookies: lot of loadbalancers add (or can add) session cookies. Look for any strange ones and google them, if you land on the F5 support forums, viola.
- assorted other headers: lots of 'em add headers based on things like if an item was cached or not (and other reasons). Look for any interesting headers and google them.
- on the page or buried in an html comment its common for the developers to have added a "served by web7" to help them troubleshoot.
- request the same content rapidly from multiple different ip's and compare the ETag headers. Apache by default bases the etag off the filesystem inode, and a lot of admins never get around to tuning that, so if you see a different Etag for the same content you can guess its coming from different servers (only works with apache, only works if not tuned, only works if not a shared filesystem).

Truthfully I'd only expect all of that to give you a meaningful answer like 1 time in 4 though, overall you can't really know unless as Catherine said "something is wrong".

Solution 3:

IP ID changes for every IP stack, thus IP host "behind" the load balancer. A tool like hping would give you just that: watch for IDs which do NOT belong to the same range, or - even if by some strange coincidence close enough - not increasing:

hping3 www.yoursite.com -S -p 80 (or whatever)

The above catches multiple hosts behind LB "under" the application layer.

Solution 4:

So, I think the question was, can you figure out casually from website behavior if there is a load balacner, and I would venture that the answer is "not unless something is wrong" (like the servers are out of sync). It is however, at least theoretically possible to figure out if there is an extra "invisible" device between you and the server responding to the request. That device might be a proxy server, a port forwarder, a static NAT device, a load balancer, or possibly something else that I've missed. Basically anything that responds to a ping on the IP, but isn't ultimately serving an HTTP request. Essentially you figure out how many hops there are between you and the public IP of the site using something like traceroute. Then you do some packet inspection to determine the TTL of a packet arriving from the host. Since the possible starting values for TTL are limited and well defined (unless someone is doing some serious hacking on their network stack), you can determine whether or not there is an extra hop. Not sure if that helps you at all, but I at least think it is an interesting thought.

Solution 5:

If the load balancer is doing cookie-based persistence then looking at the cookies might give you a clue.

Related

Are there any advantages to using OpenSolaris over linux other than ZFS? [closed]
Why do some Wireless Access Points cost so much more than others?
What is Microsoft Exchange? Why is it so popular? [closed]
How do I count the number of processors on an OpenBSD system?
Can putty beep when tailing a log file?
How can I have 2 database servers for my website?
Is there a way to see what files a user deleted in Linux?
Does a VPN connection bypass a router's firewall?
What and why is my swap space used under linux
Why Place Load-Balancer Behind Firewall?
Web site kills hard disk I/O, how to prevent?
Do firewalls and anti-virus software affect a server's performance?