Date: Fri, 21 Jun 2002 17:05:04 -0700 From: Terry Lambert <tlambert2@mindspring.com> To: Giorgos Keramidas <keramida@FreeBSD.org> Cc: Wouter Van Hemel <wouter@pair.com>, hackers@FreeBSD.org Subject: Re: Limiting clients per source IP address (ftpd, inetd, etc.) Message-ID: <3D13BF30.565B7A53@mindspring.com> References: <20020621000924.GA2178@hades.hell.gr> <3D129CA8.EFADA4FF@mindspring.com> <1024656206.277.9.camel@cocaine> <3D13A4DA.28F3B169@mindspring.com> <20020621235847.GE5836@hades.hell.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
Giorgos Keramidas wrote: > On 2002-06-21 15:12 +0000, Terry Lambert wrote: > > Someone made the comment about people sitting behind a NAT, so that > > the number of connections from a given IP is actually legitimate > > traffic. This rate limitation is targetted at an attacker. > > Actually I was thinking more of ReGet and Godzilla-style software used > by some users to play unfair and suck more bandwidth out of an FTP > server, by opening a zillion sockets and downloading a single file in > chunks. What a clever hack! I don't know if I should revise my argument to include per-IP-per-file, which would of necessity be user space, or just admire it and say they *deserve* more bandwidth for being smart... I guess I'll argue that it's a different problem space, and limiting the number of connections for that reason is really easy to get around: 1) Open as many connections as you can 2) Divide the download between the connections In other words, your workaround only works if you take the file into account, or if you set your per IP connection limit to "1 connection per IP". The former is a totally different problem, while the latter can be done with ipfw or one of the other approaches already discussed. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D13BF30.565B7A53>