Can ipfw be used to limit concurrent requests from an IP?
Will Squire
will_squire at hotmail.co.uk
Tue May 31 18:30:11 UTC 2016
> On 28 May 2016, at 15:27, Ian Smith <smithi at nimnet.asn.au> wrote:
>
> In freebsd-questions Digest, Vol 625, Issue 7, Message: 3
> On Fri, 27 May 2016 20:34:56 +0100 Will Squire <will_squire at hotmail.co.uk> wrote:
>
> (please wrap lines < 80 columns if possible)
Thanks, will do.
>
>> Can ipfw limit the number requests in a given amount of time from a
>> specific IP?
>>
>> To contextualise, if an IP sends requests in high concurrency (let's
>> say 50 a second) can ipfw either block requests the exceed a
>> threshold for that second (lets say the threshold is 20, 30 would be
>> blocked), or ban/deny the given IP for exceeding a threshold?
>
> Not as such. If you know the specific IP address (or range, or subnet)
> you can use stateful rules with 'limit' instead of 'keep-state' to limit
> the maximum number of concurrent connections to the port/s configured in
> a given rule; see ipfw(8). You cauld use a table of addresses to block
> or limit rather than hard-coding them into rule/s.
Thanks for the reply Ian. I don’t think limit would work due to HTTP’s
“keep-alive” feature. I believe this means a connection would be kept open
(counting as one connection) and still open to heavy polling by the client.
>
> While this is very useful for avoiding DoS of any particular service, it
> does not allow you to specify a rate, nor time limit, nor (directly) to
> block an IP address that's exceeding the given number of connections.
>
>> The aim is to lessen strain under DoS attacks, specifically for HTTP.
>> The system is using Apache and mod_evasive has been added and tested,
>> but it is not functioning correctly.
>
> I haven't used (nor heard of) mod_evasive so can't comment on that, but
> limiting the total number of connections open to a given service can
> certainly mitigate the effect of such DoS attacks.
Again, I think keep-alive might cause issues here (but please do correct me if
wrong). Limiting connection to the HTTP service might also worsen the DoS to
users.
>
> You could of course use /etc/inetd.conf (aka TCPwrappers) to limit
> connections in just the ways you want, though I'm not sure starting HTTP
> connections in that way is recommended these days. I use if for FTP and
> POP3 connections, which works very well, thus:
>
> sola# grep -v '#' /etc/inetd.conf
> ftp stream tcp nowait/7/3 root /usr/libexec/ftpd ftpd -dll -S
> pop3 stream tcp nowait/7/4 root /usr/local/libexec/qpopper qpopper -s -T 120
>
> See inetd(1), particularly re the inetd.conf setting:
> {wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]]
>
> The above example limits pop3 connections to 7 children and 4
> connections per IP per minute. Excess connections are logged to
> /var/log/messages (and console.log if enabled) thus:
>
> May 21 12:31:59 sola inetd[9671]: pop3 from 182.118.103.211 exceeded counts/min (limit 4/min)
> May 21 14:21:51 sola inetd[9671]: pop3 from 182.118.99.168 exceeded counts/min (limit 4/min)
> May 21 14:21:52 sola inetd[9671]: pop3 from 182.118.99.168 exceeded counts/min (limit 4/min)
> May 21 14:26:40 sola inetd[9671]: pop3 from 182.117.230.117 exceeded counts/min (limit 4/min)
> May 21 15:34:53 sola inetd[9671]: pop3 from 182.117.207.48 exceeded counts/min (limit 4/min)
> May 21 16:26:56 sola inetd[9671]: pop3 from 182.117.226.184 exceeded counts/min (limit 4/min)
>
> You could run a script to tail messages hunting for such lines, then add
> the IP to a table if you want; for example I run a script that instantly
> bans GET requests for certain strings to any of a number of webservers.
> I also tend to check logs and hand-add naughty nets such as the above to
> a block table, never to be seen again ..
I’m not familiar with using TCPwrappers, Have seen another recommend
SSHGuard though (which I am using already). Can I do something similar
with that, or does/should it do this (add to ban table) automatically? Unsure
if SSHGuard needs any additional rules written for Apache.
>
> I also use not dissimilar connection limits to sendmail's MTA, but
> that's done in sendmail's own configuration.
>
> Others may know better ways to deal specifically with HTTP connections?
>
>> (P.S. The freebsd-ipfw list seems to be for development of the
>> technology only, so asking this here. Please let me know if this
>> isn?t the case)
>
> It's usually fairly low volume and noone seems to mind usage questions,
> though the developers usually tend to let these go by.
>
> cheers, Ian
Thanks
Kind regards,
Will Squire
More information about the freebsd-questions
mailing list