From owner-freebsd-hackers Fri Jun 21 17: 6:18 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from harrier.mail.pas.earthlink.net (harrier.mail.pas.earthlink.net [207.217.120.12]) by hub.freebsd.org (Postfix) with ESMTP id 0CF9537B419; Fri, 21 Jun 2002 17:05:44 -0700 (PDT) Received: from pool0462.cvx21-bradley.dialup.earthlink.net ([209.179.193.207] helo=mindspring.com) by harrier.mail.pas.earthlink.net with esmtp (Exim 3.33 #2) id 17LYPP-0002QN-00; Fri, 21 Jun 2002 17:05:43 -0700 Message-ID: <3D13BF30.565B7A53@mindspring.com> Date: Fri, 21 Jun 2002 17:05:04 -0700 From: Terry Lambert X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony} (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Giorgos Keramidas Cc: Wouter Van Hemel , hackers@FreeBSD.org Subject: Re: Limiting clients per source IP address (ftpd, inetd, etc.) References: <20020621000924.GA2178@hades.hell.gr> <3D129CA8.EFADA4FF@mindspring.com> <1024656206.277.9.camel@cocaine> <3D13A4DA.28F3B169@mindspring.com> <20020621235847.GE5836@hades.hell.gr> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Giorgos Keramidas wrote: > On 2002-06-21 15:12 +0000, Terry Lambert wrote: > > Someone made the comment about people sitting behind a NAT, so that > > the number of connections from a given IP is actually legitimate > > traffic. This rate limitation is targetted at an attacker. > > Actually I was thinking more of ReGet and Godzilla-style software used > by some users to play unfair and suck more bandwidth out of an FTP > server, by opening a zillion sockets and downloading a single file in > chunks. What a clever hack! I don't know if I should revise my argument to include per-IP-per-file, which would of necessity be user space, or just admire it and say they *deserve* more bandwidth for being smart... I guess I'll argue that it's a different problem space, and limiting the number of connections for that reason is really easy to get around: 1) Open as many connections as you can 2) Divide the download between the connections In other words, your workaround only works if you take the file into account, or if you set your per IP connection limit to "1 connection per IP". The former is a totally different problem, while the latter can be done with ipfw or one of the other approaches already discussed. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message