Date: Tue, 31 May 2016 19:28:59 +0100 From: Will Squire <will_squire@hotmail.co.uk> To: Ian Smith <smithi@nimnet.asn.au> Cc: freebsd-questions@freebsd.org Subject: Re: Can ipfw be used to limit concurrent requests from an IP? Message-ID: <BLU436-SMTP56BAE61D59C2AEC514B937DA460@phx.gbl> In-Reply-To: <20160528232515.Y15883@sola.nimnet.asn.au> References: <mailman.97.1464436802.9180.freebsd-questions@freebsd.org> <20160528232515.Y15883@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 28 May 2016, at 15:27, Ian Smith <smithi@nimnet.asn.au> wrote:
>=20
> In freebsd-questions Digest, Vol 625, Issue 7, Message: 3
> On Fri, 27 May 2016 20:34:56 +0100 Will Squire =
<will_squire@hotmail.co.uk> wrote:
>=20
> (please wrap lines < 80 columns if possible)
Thanks, will do.
>=20
>> Can ipfw limit the number requests in a given amount of time from a=20=
>> specific IP?
>>=20
>> To contextualise, if an IP sends requests in high concurrency (let's=20=
>> say 50 a second) can ipfw either block requests the exceed a=20
>> threshold for that second (lets say the threshold is 20, 30 would be=20=
>> blocked), or ban/deny the given IP for exceeding a threshold?
>=20
> Not as such. If you know the specific IP address (or range, or =
subnet)=20
> you can use stateful rules with 'limit' instead of 'keep-state' to =
limit=20
> the maximum number of concurrent connections to the port/s configured =
in=20
> a given rule; see ipfw(8). You cauld use a table of addresses to =
block
> or limit rather than hard-coding them into rule/s.
Thanks for the reply Ian. I don=E2=80=99t think limit would work due to =
HTTP=E2=80=99s
=E2=80=9Ckeep-alive=E2=80=9D feature. I believe this means a connection =
would be kept open=20
(counting as one connection) and still open to heavy polling by the =
client.
>=20
> While this is very useful for avoiding DoS of any particular service, =
it=20
> does not allow you to specify a rate, nor time limit, nor (directly) =
to=20
> block an IP address that's exceeding the given number of connections.
>=20
>> The aim is to lessen strain under DoS attacks, specifically for HTTP.=20=
>> The system is using Apache and mod_evasive has been added and tested,=20=
>> but it is not functioning correctly.
>=20
> I haven't used (nor heard of) mod_evasive so can't comment on that, =
but=20
> limiting the total number of connections open to a given service can=20=
> certainly mitigate the effect of such DoS attacks.
Again, I think keep-alive might cause issues here (but please do correct =
me if=20
wrong). Limiting connection to the HTTP service might also worsen the =
DoS to=20
users.
>=20
> You could of course use /etc/inetd.conf (aka TCPwrappers) to limit=20
> connections in just the ways you want, though I'm not sure starting =
HTTP=20
> connections in that way is recommended these days. I use if for FTP =
and=20
> POP3 connections, which works very well, thus:
>=20
> sola# grep -v '#' /etc/inetd.conf
> ftp stream tcp nowait/7/3 root /usr/libexec/ftpd ftpd -dll =
-S
> pop3 stream tcp nowait/7/4 root /usr/local/libexec/qpopper =
qpopper -s -T 120
>=20
> See inetd(1), particularly re the inetd.conf setting:
> =
{wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per=
-ip]]]
>=20
> The above example limits pop3 connections to 7 children and 4=20
> connections per IP per minute. Excess connections are logged to=20
> /var/log/messages (and console.log if enabled) thus:
>=20
> May 21 12:31:59 sola inetd[9671]: pop3 from 182.118.103.211 exceeded =
counts/min (limit 4/min)
> May 21 14:21:51 sola inetd[9671]: pop3 from 182.118.99.168 exceeded =
counts/min (limit 4/min)
> May 21 14:21:52 sola inetd[9671]: pop3 from 182.118.99.168 exceeded =
counts/min (limit 4/min)
> May 21 14:26:40 sola inetd[9671]: pop3 from 182.117.230.117 exceeded =
counts/min (limit 4/min)
> May 21 15:34:53 sola inetd[9671]: pop3 from 182.117.207.48 exceeded =
counts/min (limit 4/min)
> May 21 16:26:56 sola inetd[9671]: pop3 from 182.117.226.184 exceeded =
counts/min (limit 4/min)
>=20
> You could run a script to tail messages hunting for such lines, then =
add=20
> the IP to a table if you want; for example I run a script that =
instantly=20
> bans GET requests for certain strings to any of a number of =
webservers.=20
> I also tend to check logs and hand-add naughty nets such as the above =
to=20
> a block table, never to be seen again ..
I=E2=80=99m not familiar with using TCPwrappers, Have seen another =
recommend=20
SSHGuard though (which I am using already). Can I do something similar=20=
with that, or does/should it do this (add to ban table) automatically? =
Unsure=20
if SSHGuard needs any additional rules written for Apache.
>=20
> I also use not dissimilar connection limits to sendmail's MTA, but=20
> that's done in sendmail's own configuration.
>=20
> Others may know better ways to deal specifically with HTTP =
connections?
>=20
>> (P.S. The freebsd-ipfw list seems to be for development of the=20
>> technology only, so asking this here. Please let me know if this=20
>> isn?t the case)
>=20
> It's usually fairly low volume and noone seems to mind usage =
questions,=20
> though the developers usually tend to let these go by.
>=20
> cheers, Ian
Thanks
Kind regards,
Will Squire=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BLU436-SMTP56BAE61D59C2AEC514B937DA460>