Packet rate limiter

Chris chrcoluk at gmail.com
Thu Mar 1 11:08:29 UTC 2007 

On 17/02/07, chrishome at austin.rr.com <chrishome at austin.rr.com> wrote:
> > Hi
> >
> > is there any way how to limit packet per second [PPS] rate to
> > specified
> > IP (group of IP) ? Linux can achieve this via IPtables.
> > I`ve searched a lot of web, but nothing interesting found (for PF,
> > IPFilter, and IPFW).
> >
>
> I agree this would be a very nice addition to IPFW as a basic feature,
> or maybe a more advanced version via Dummynet.  It's much to easy for a
> trojan / virus or intentionally malicious user to flood a FreeBSD box
> setup as a router with loads of tiny UDP packets on port 80.  In fact,
> just a few days ago we had 2 users behind one of our FreeBSD gateways
> sending huge loads of traffic to a webhosting site..  This packet count
> shown below was all within a 12 hour period ;)
>
> 00010   990465375    39618916491 deny ip from 172.17.106.114 to any
> 00010    20010976      800449444 deny ip from 172.17.105.114 to any
>
>
> Being able to put limits per protocol would be a wonderful addition.
> For now what we do is setup a count rule by MAC address for every user,
> we check the count rules every 60 seconds, if we begin to see packets
> per second for a certain host climb above for example 4000PPS, we simply
> automatically add a deny rule.  These are generally users set for 1 or 2
> Mbps each, so 4000PPS is pretty extreme for that kind of bandwidth
> unless your doing something you shouldn't.
>
> I've been talking to a few friends about possibly adding this to ipfw or
> dummynet, and if I ever get around to a completed working version, I
> would be more than happy to share, but for now, there are ways to still
> fix the problem, just not as elegant as if it where actually a firewall
> rule ;)
>
> Chris Bowman
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>

Whats the rule that counts per src address?

thanks

Chris

More information about the freebsd-questions mailing list