[PF] Packet speed limit

While it is not possible to protect your net's hardware from DoS attacks there are methods of minimizing the damage done to your server as a unit by hardening your TCP/IP stack. This will make your server and services much more durable to DoS like attacks. There are quite a few documents on the net regarding stack hardening, google them.
 
You can protect and rate-limit your ports and your software and your servers all you like. You can still be DDOS'ed and starved of bandwidth though ... which is what everyone's been saying about 25 times now.
 
I'll try to explain. Let's stop thinking about TCP traffic and instead think about waterpipes.


Code:
Huge watersource <== waterpipe ==> watersystem handler <== your personal waterpipe ==> your glass
(malicious user)                        (ISP)                                         (your server)

Now, it someone from the "huge watersource" decides to fill your waterpipe with his water, he simply does so and there is nothing you can do about it. You can always put a cover to your glass, so it won't fill up, but it won't change the fact that the water has already filled your waterline before it hits the cover. Only way to stop that user from filling your waterpipes is to ask the handler (ISP) to stop directing water to your pipes from that user. There is no other way. (back to computers: if somebody sends you IP packets and fills you bandwidth, you can either "drink it" or "let it go to waste")

And about those Apache and torrent: what you CAN do, is decide how much water you send from your "glass" to your pipes. That is why apache, ftpd, etc. can put a limit for the user - they just won't send more then told to. And about the torrent: I think that was already explained earlier.

And hopefully someone can possibly explain my idea even simpler :)
 
I'm afraid someone will ask whether a tap interface or a bridge would help to stem the flow.
 
DutchDaemon said:
You can't limit incoming traffic, only outgoing traffic (either originating locally, or as a response to incoming traffic (return traffic)). You can't limit based on random incoming IP addresses. Please read the documentation.

I've always wondered why it isn't possible to limit incoming traffic with PF. It is because of implementation difficulties or something similar?

Wget can limit the download speed with --limit-rate though.
 
Application-based rate/speed-limiting works because there's communication ('an understanding') between the applications/protocols on both ends. PF is just a raw packet-filter that can do no more than produce messages and errors to slow the other side down; it has no means of communication with the sending applications/protocols in a specific way.
 
DutchDaemon said:
Application-based rate/speed-limiting works because there's communication ('an understanding') between the applications/protocols on both ends. PF is just a raw packet-filter that can do no more than produce messages and errors to slow the other side down; it has no means of communication with the sending applications/protocols in a specific way.

Is there no way to perform such rate limiting other than at the client? How does a download manager perform rate limiting of HTTP/FTP downloads when the servers don't have such a mechanism (AFAIK)?
 
Downloading is done by your application. It can influence how it uses the underlying network, e.g. by manipulating how and how often it requests partial simultaneous downloads and size ranges (e.g. HTTP/206). It can also just use dirty and wasteful tactics like sending tcp resets upstream.
 
So it seems like the need for inbound traffic management never occurred to the designers of these protocols and we're stuck without any practical solution?
 
It's not really the designers fault. After all, you can shout the sender to stop, but there is no way to force him to do so. Atleast I can't figure out how it would be (even theoretically) possible to force someone to stop sending you data.
 
kvi said:
It's not really the designers fault. After all, you can shout the sender to stop, but there is no way to force him to do so. Atleast I can't figure out how it would be (even theoretically) possible to force someone to stop sending you data.

That's what I would like to find out. Is there a well documented way that you could ask them to slow down? Whether they will abide by your request is another matter, but would it not be feasible for some form of bandwidth negotiation to take place before/during the transfer?
 
That is usually handled on software level when needed (between client & server or client & client). I think it could lead in quite a mess if all the routers world wide would have to negotiate speedlimits and monitor each connection. There can be quite many routers between the server and client. After saying that, I must admit that Im no expert in this matter.
 
Back
Top