streaming/DOS
Nikos Vassiliadis
nvass at teledomenet.gr
Thu Jan 4 03:03:20 PST 2007
On Wednesday 03 January 2007 18:16, i18rabbit at cwazy.co.uk wrote:
> i am interested in finding out the best
> ways to stop denial-of-service attacks
> on a live MP3 streaming server. the
> information presented has created a
> large group of people that work
> together to overwhelm the server
> whenever the radio broadcast streams.
> what is the most effective way to set
> up an MP3 live streaming server to
> automatically detect/block these
> kind of DOS attacks?
>
> i am not directly running the server,
> but it is possible that i may do so,
> and in the least, i do have an
> advisory capacity with the
> people that do (they are in
> the MS Windows world which
> i know nothing about), and
> i would be interested to know
> if FreeBSD has capabilities in
> this area that Windows servers
> do not.
>
> things i thought of as possibilities
> were setting up a free registration
> which would force attackers to re-register
> everytime they get banned - or some kind of
> bandwidth limiting thing that would disconnect
> IP's or 24-bit IP ranges if an IP downloaded
> too much too fast - i don't know all the
> possibilities, but it seems to me that
> it should be possible to recognize
> abusers and drop them from further
> HTTP connections.
>
You can use ipfw and/or dummynet. You might want to limit:
1) the number of connections per IP address and/or port
2) bandwidth per IP address and/or port
read the manual, search for "limit", "pipe" & "mask"
http://www.freebsd.org/cgi/man.cgi?query=ipfw&apropos=0&sektion=0&manpath=FreeBSD+6.1-RELEASE&format=html
You can also use pf. You can limit the number of connections
from an IP address per time period. ALTQ can help you manage
the traffic, though I am not sure that it would be helpful in your
case. Sections "Turning away the brutes" & "Directing traffic
with ALTQ" are of interest.
http://www.bgnett.no/~peter/pf/en/
Decide which one fits your needs and ask the list for further
pointers/help. These suggestions can work transparently in
your network i.e. you don't have to change anything/much.
Just put a FreeBSD box in front of your streaming server.
Hope this helps, Nikos
More information about the freebsd-questions
mailing list