Ok I am looking for what seems to be a missing feature but I am hoping I am wrong.
I can limit total bandwidth on a port/ip. As well as limit on a interface. What I want to do is have ALTQ/PF limit per connecting ip, so not a total limit but per connection.
The reason is this.
I have a unusual attack on a varnish server, its not an attack that utilizes many connections in fact its just one single connection, like sloworis but this also uses high bandwidth, randomly maybe once every 2-3 days we get a ip connecting to the varnish server, pulling 300-500Mbit/sec of bandwidth in a single connection for 1-2 minutes and then disconnecting. I am concerned there is some kind of vulnerability in varnish as well since it doesn't host any large files and they doing this via a single connection not via multiple connections, I have not found any options in varnish to cutoff established connections and I assume if I do it at the OS level keepalive packets would reset the counter.
So for now what I want to do is to add a throttle per connection eg. max 20Mbit/sec, which should at least for now stop them pulling so much bandwidth.
I can limit total bandwidth on a port/ip. As well as limit on a interface. What I want to do is have ALTQ/PF limit per connecting ip, so not a total limit but per connection.
The reason is this.
I have a unusual attack on a varnish server, its not an attack that utilizes many connections in fact its just one single connection, like sloworis but this also uses high bandwidth, randomly maybe once every 2-3 days we get a ip connecting to the varnish server, pulling 300-500Mbit/sec of bandwidth in a single connection for 1-2 minutes and then disconnecting. I am concerned there is some kind of vulnerability in varnish as well since it doesn't host any large files and they doing this via a single connection not via multiple connections, I have not found any options in varnish to cutoff established connections and I assume if I do it at the OS level keepalive packets would reset the counter.
So for now what I want to do is to add a throttle per connection eg. max 20Mbit/sec, which should at least for now stop them pulling so much bandwidth.
