Anti-DoS QoS with altq
Florent.Thiery at int-evry.fr
Fri Jun 23 17:05:17 UTC 2006
I'm wondering how to make altq use 2 queues defined as follow
- the first one is the "attackers" queue, and should be defined by a
static file containing ip adresses, filled by another program. RED
should be used on this queue (every client in this queue should have the
- the second one is the "normal clients" queue, which should have the
best effort possible (again, every client in this queue should have the
same priority) ; i don't know which scheduler to use...
The only traffic considered (as of now) is web traffic. The end purpose
of this is anti-DoS QoS on web server (80 and 8080 at the same time). I
have a running webserver and traffic generator, and a freebsd 6.1
gateway with custom kernel (altq + pf options enabled).
webserver -100 MB link - gateway - 1 Gb link - traffic
machine 1 freebsd
my purpose is to know the best combination in order to get the best
service possible for normal clients and the rest of bandwith should go
to attackers (if any of them are false positives).
I don't know how to manage the
- the ip file part (altq-file interconnection)
- the schedulers part: i'm gonna test them (httperf), are there some
altq-dedicated benchmarking tools (which, ideally would change QoS
- how to benchmark.... store and plot the results... (i guess it will be
shell scripting, watch grep wc pipes etc... )
Thanks in advance for your help. If there is an IRC channel or anybody
ok to discuss with me (messaging or mail), please contact me.
More information about the freebsd-pf