Date: Thu, 14 Sep 2006 22:53:31 +0300 From: Panagiotis <pnestora@ee.duth.gr> To: freebsd-questions@freebsd.org Subject: Re: Under Attack: Bandwidth throttling on 5.2.1? Message-ID: <4509B33B.80604@ee.duth.gr> In-Reply-To: <C214FC9E-0D29-44F0-B8F5-2116135A4AF1@cbpratt.prohosting.com> References: <C214FC9E-0D29-44F0-B8F5-2116135A4AF1@cbpratt.prohosting.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Chris wrote:
> This is probably going to tax the memory. I'm sorry in advance.
>
> We observed 2 hangs and 3 crashes in the last 5 hours and finally
> after looking at the nature of the traffic, it appears to be little
> infested windows spybots from all over targeting our forums to
> attempt to reply to all messages with gambling and other spam. The
> referer in every case is a few obvious spam sites. We measured 33
> pages per second and all invoking perl (well you can image the load).
> It's killed the system in several was I've never even seen. We
> shutdown on purpose for the first time in years which is pretty bad
> for business. I'm readying the quad opteron tyan to take down and
> shove in it's place since the T1 can't swamp it, but still building.
> The machine is a dual 3.0 xeon with 4G and Intel 1000/Pro on 5.2.1
> with IPFW enabled. If I can configure throttling on this old a
> system, we could come back up I think and try ride out the attack.
> I've never done this before but in an earlier thread I saw where you
> configure a pipe such as:
>
> ipfw pipe 1 config bw 256Kbit/s
> ipfw add pipe 1 tcp from 192.168.1.2 80
>
> then set sysctl.conf
> net.inet.ip.fw.one_pass=1
>
> Is that is all that's necessary for this old a system or is there
> anything else. If this is correct, would this keep this fellow from
> crashing
To use traffic shaping with IPFW you have to compile the kernel with the
following options:
options DUMMYNET
options HZ=1000
then you can add some lines like these to make your bandwidth limit to work:
#first flush all the previous pipes
ipfw -q -f pipe flush
ipfw pipe 1 config bw 256Kbit/s
ipfw add pipe 1 tcp from any to any
usually we use two pipes, one for download and one for upload so you can
try something like this:
#first flush all the previous pipes
ipfw -q -f pipe flush
#upload bandwidth+download bandwidth=total bandwidth
#pipe for upload
ipfw pipe 1 config bw 128Kbit/s
#pipe for download
ipfw pipe 2 config bw 256Kbit/s
server_port="20,21,80,443,995,...,etc"
internal_network="192.168.0.0"
#config upload
ipfw add pipe 1 tcp from $internal_network to any $server_port
#config upload
ipfw add pipe 2 tcp from any $server_port to $internal_network
The variables "server_port" and "internal_network" are examples of
course... :-)
If you are running natd on your machine the you have to put rules AFTER
the divert natd rule like these:
ipfw add pipe 1 tcp from {external_ip} to any $server_port
ipfw add pipe 2 tcp from any $server_port to $internal_network
The net.inet.ip.fw.one_pass=1 must be set if you want your traffic to
pass from pipes and not continue at next rules....
Sorry for my bad english....
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4509B33B.80604>