Date: Thu, 1 Mar 2007 11:08:27 +0000 From: Chris <chrcoluk@gmail.com> To: "chrishome@austin.rr.com" <chrishome@austin.rr.com> Cc: freebsd-net@freebsd.org, Jan Sebosik <sebosik@demax.sk>, freebsd-questions@freebsd.org Subject: Re: Packet rate limiter Message-ID: <3aaaa3a0703010308t1fad983em2707001dc5ec3593@mail.gmail.com> In-Reply-To: <d03199da59743.59743d03199da@texas.rr.com> References: <45C99336.3010508@demax.sk> <d03199da59743.59743d03199da@texas.rr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 17/02/07, chrishome@austin.rr.com <chrishome@austin.rr.com> wrote: > > Hi > > > > is there any way how to limit packet per second [PPS] rate to > > specified > > IP (group of IP) ? Linux can achieve this via IPtables. > > I`ve searched a lot of web, but nothing interesting found (for PF, > > IPFilter, and IPFW). > > > > I agree this would be a very nice addition to IPFW as a basic feature, > or maybe a more advanced version via Dummynet. It's much to easy for a > trojan / virus or intentionally malicious user to flood a FreeBSD box > setup as a router with loads of tiny UDP packets on port 80. In fact, > just a few days ago we had 2 users behind one of our FreeBSD gateways > sending huge loads of traffic to a webhosting site.. This packet count > shown below was all within a 12 hour period ;) > > 00010 990465375 39618916491 deny ip from 172.17.106.114 to any > 00010 20010976 800449444 deny ip from 172.17.105.114 to any > > > Being able to put limits per protocol would be a wonderful addition. > For now what we do is setup a count rule by MAC address for every user, > we check the count rules every 60 seconds, if we begin to see packets > per second for a certain host climb above for example 4000PPS, we simply > automatically add a deny rule. These are generally users set for 1 or 2 > Mbps each, so 4000PPS is pretty extreme for that kind of bandwidth > unless your doing something you shouldn't. > > I've been talking to a few friends about possibly adding this to ipfw or > dummynet, and if I ever get around to a completed working version, I > would be more than happy to share, but for now, there are ways to still > fix the problem, just not as elegant as if it where actually a firewall > rule ;) > > Chris Bowman > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > Whats the rule that counts per src address? thanks Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3aaaa3a0703010308t1fad983em2707001dc5ec3593>