From owner-freebsd-questions@freebsd.org  Tue May 31 18:30:10 2016
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id E4A50B5B5C1
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Tue, 31 May 2016 18:30:10 +0000 (UTC)
 (envelope-from will_squire@hotmail.co.uk)
Received: from BLU004-OMC4S24.hotmail.com (blu004-omc4s24.hotmail.com
 [65.55.111.163])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
 (Client CN "*.outlook.com", Issuer "Microsoft IT SSL SHA2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id AFD541CF2
 for <freebsd-questions@freebsd.org>; Tue, 31 May 2016 18:30:09 +0000 (UTC)
 (envelope-from will_squire@hotmail.co.uk)
Received: from BLU436-SMTP56 ([65.55.111.136]) by BLU004-OMC4S24.hotmail.com
 over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); 
 Tue, 31 May 2016 11:29:03 -0700
X-TMN: [6yx04VJFU+sllhYLvlL06EDNT9X8ZSVp]
X-Originating-Email: [will_squire@hotmail.co.uk]
Message-ID: <BLU436-SMTP56BAE61D59C2AEC514B937DA460@phx.gbl>
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Subject: Re: Can ipfw be used to limit concurrent requests from an IP?
From: Will Squire <will_squire@hotmail.co.uk>
In-Reply-To: <20160528232515.Y15883@sola.nimnet.asn.au>
Date: Tue, 31 May 2016 19:28:59 +0100
CC: freebsd-questions@freebsd.org
Content-Transfer-Encoding: quoted-printable
References: <mailman.97.1464436802.9180.freebsd-questions@freebsd.org>
 <20160528232515.Y15883@sola.nimnet.asn.au>
To: Ian Smith <smithi@nimnet.asn.au>
X-Mailer: Apple Mail (2.3124)
X-OriginalArrivalTime: 31 May 2016 18:29:00.0855 (UTC)
 FILETIME=[4D513470:01D1BB6A]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 31 May 2016 18:30:11 -0000


> On 28 May 2016, at 15:27, Ian Smith <smithi@nimnet.asn.au> wrote:
>=20
> In freebsd-questions Digest, Vol 625, Issue 7, Message: 3
> On Fri, 27 May 2016 20:34:56 +0100 Will Squire =
<will_squire@hotmail.co.uk> wrote:
>=20
> (please wrap lines < 80 columns if possible)

Thanks, will do.

>=20
>> Can ipfw limit the number requests in a given amount of time from a=20=

>> specific IP?
>>=20
>> To contextualise, if an IP sends requests in high concurrency (let's=20=

>> say 50 a second) can ipfw either block requests the exceed a=20
>> threshold for that second (lets say the threshold is 20, 30 would be=20=

>> blocked), or ban/deny the given IP for exceeding a threshold?
>=20
> Not as such.  If you know the specific IP address (or range, or =
subnet)=20
> you can use stateful rules with 'limit' instead of 'keep-state' to =
limit=20
> the maximum number of concurrent connections to the port/s configured =
in=20
> a given rule; see ipfw(8).  You cauld use a table of addresses to =
block
> or limit rather than hard-coding them into rule/s.

Thanks for the reply Ian. I don=E2=80=99t think limit would work due to =
HTTP=E2=80=99s
=E2=80=9Ckeep-alive=E2=80=9D feature. I believe this means a connection =
would be kept open=20
(counting as one connection) and still open to heavy polling by the =
client.

>=20
> While this is very useful for avoiding DoS of any particular service, =
it=20
> does not allow you to specify a rate, nor time limit, nor (directly) =
to=20
> block an IP address that's exceeding the given number of connections.
>=20
>> The aim is to lessen strain under DoS attacks, specifically for HTTP.=20=

>> The system is using Apache and mod_evasive has been added and tested,=20=

>> but it is not functioning correctly.
>=20
> I haven't used (nor heard of) mod_evasive so can't comment on that, =
but=20
> limiting the total number of connections open to a given service can=20=

> certainly mitigate the effect of such DoS attacks.

Again, I think keep-alive might cause issues here (but please do correct =
me if=20
wrong). Limiting connection to the HTTP service might also worsen the =
DoS to=20
users.

>=20
> You could of course use /etc/inetd.conf (aka TCPwrappers) to limit=20
> connections in just the ways you want, though I'm not sure starting =
HTTP=20
> connections in that way is recommended these days.  I use if for FTP =
and=20
> POP3 connections, which works very well, thus:
>=20
> sola# grep -v '#' /etc/inetd.conf
> ftp     stream  tcp     nowait/7/3 root /usr/libexec/ftpd  ftpd -dll =
-S
> pop3    stream  tcp     nowait/7/4 root /usr/local/libexec/qpopper =
qpopper -s -T 120
>=20
> See inetd(1), particularly re the inetd.conf setting:
> =
{wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per=
-ip]]]
>=20
> The above example limits pop3 connections to 7 children and 4=20
> connections per IP per minute.  Excess connections are logged to=20
> /var/log/messages (and console.log if enabled) thus:
>=20
> May 21 12:31:59 sola inetd[9671]: pop3 from 182.118.103.211 exceeded =
counts/min (limit 4/min)
> May 21 14:21:51 sola inetd[9671]: pop3 from 182.118.99.168 exceeded =
counts/min (limit 4/min)
> May 21 14:21:52 sola inetd[9671]: pop3 from 182.118.99.168 exceeded =
counts/min (limit 4/min)
> May 21 14:26:40 sola inetd[9671]: pop3 from 182.117.230.117 exceeded =
counts/min (limit 4/min)
> May 21 15:34:53 sola inetd[9671]: pop3 from 182.117.207.48 exceeded =
counts/min (limit 4/min)
> May 21 16:26:56 sola inetd[9671]: pop3 from 182.117.226.184 exceeded =
counts/min (limit 4/min)
>=20
> You could run a script to tail messages hunting for such lines, then =
add=20
> the IP to a table if you want; for example I run a script that =
instantly=20
> bans GET requests for certain strings to any of a number of =
webservers.=20
> I also tend to check logs and hand-add naughty nets such as the above =
to=20
> a block table, never to be seen again ..

I=E2=80=99m not familiar with using TCPwrappers, Have seen another =
recommend=20
SSHGuard though (which I am using already). Can I do something similar=20=

with that, or does/should it do this (add to ban table) automatically? =
Unsure=20
if SSHGuard needs any additional rules written for Apache.

>=20
> I also use not dissimilar connection limits to sendmail's MTA, but=20
> that's done in sendmail's own configuration.
>=20
> Others may know better ways to deal specifically with HTTP =
connections?
>=20
>> (P.S. The freebsd-ipfw list seems to be for development of the=20
>> technology only, so asking this here. Please let me know if this=20
>> isn?t the case)
>=20
> It's usually fairly low volume and noone seems to mind usage =
questions,=20
> though the developers usually tend to let these go by.
>=20
> cheers, Ian

Thanks

Kind regards,
Will Squire=