Anti-DoS QoS with altq

Florent Thiery Florent.Thiery at int-evry.fr
Fri Jun 23 17:05:17 UTC 2006


Hi,

I'm wondering how to make altq use 2 queues defined as follow
- the first one is the "attackers" queue, and should be defined by a 
static file containing ip adresses, filled by another program. RED 
should be used on this queue (every client in this queue should have the 
same priority)
- the second one is the "normal clients" queue, which should have the 
best effort possible (again, every client in this queue should have the 
same priority) ; i don't know which scheduler to use...

The only traffic considered (as of now) is web traffic. The end purpose 
of this is anti-DoS QoS on web server (80 and 8080 at the same time). I 
have a running webserver and traffic generator, and a freebsd 6.1 
gateway with custom kernel (altq + pf options enabled).

webserver   -100 MB link -      gateway     - 1 Gb link -    traffic 
generator
machine 1                                  freebsd                       
          machine 1

my purpose is to know the best combination in order to get the best 
service possible for normal clients and the rest of bandwith should go 
to attackers (if any of them are false positives).

I don't know how to manage the
- the ip file part (altq-file interconnection)
- the schedulers part: i'm gonna test them (httperf), are there some 
altq-dedicated benchmarking tools (which, ideally would change QoS 
options sequentially)?
- how to benchmark.... store and plot the results... (i guess it will be 
shell scripting, watch grep wc pipes etc... )

Thanks in advance for your help. If there is an IRC channel or anybody 
ok to discuss with me (messaging or mail), please contact me.

Regards,

Florent


More information about the freebsd-pf mailing list