[unisog] Blocking inbound Internet traffic

Bruce Curtis bruce.curtis at ndsu.nodak.edu
Mon May 12 19:51:49 GMT 2003

On Thursday, May 8, 2003, at 01:14  PM, Johan M. Andersen wrote:

>> We're looking into rate limits per IP (rather than port).  I'm  
>> curious to
>> hear from people who are doing something like this.  How have you
>> implemented this?  How effective has it been?  What do your users  
>> think?
>> etc.
> We use netflow collection plus an oracle database plus cisco policy  
> maps to
> put people over their quota into a very tiny pipe. We only have a  
> quota on
> their upload bandwidth currently. This makes it pretty transparent to  
> most
> of the users (no one here cares how quickly someone else can leech  
> their
> files :). It was REALLY effective, so much so that we could up the  
> quota to
> 100megabytes of upload data per hour per IP. All of the stuff we wrote  
> to do
> this is open source, and we will probably be publishing it soon. We  
> were
> worried about trying to make a packeteer-type solution work over  
> multiple
> oc3's but this seems to be doing pretty well. It also has the benefit  
> of
> being content-neutral. We do not inspect what our students are doing,  
> we
> only give them resource limits to make sure usage is fair for the  
> entire
> university.
> If anyone is interested in making something like this work using cisco  
> gear,
> and (mostly :) open source software, let me know.
> /johan

   We do something very similar here at NDSU.  The users in the  
residence halls were initially pleased, especially since at the time we  
rolled it out we took off our fairly draconian limits that were based  
on ports (pre Kazaa v2).  Last fall the bandwidth usage grew so much  
that we had to lower the daily quota from 600 Mbytes per day to 200  
Mbytes per day and we had a few complaints but they still have lots of  
bandwidth available between 2 am and 6 am if the large bandwidth  
transfers are really important to them.  We end up rate limiting about  
10% of our users or 200 per day.  Interestingly the percentage stayed  
about the same when we lowered the quota from 600 Mbytes per day to 200  
Mbytes per day.


   Here are a couple of links to a presentation on our system, which  
we've upgraded since the presentation so now we use the Cisco policy  
maps rather than Cisco CAR but we still use flat files instead of a  
database.  When a user exceeds the quota we limit their traffic in both  
directions but there is no limit on local (on-campus) traffic, even  
after they have exceeded their quota.



   Mayville State University is another University in the North Dakota  
University system that has implemented an interesting solution.    
Rather than modifying the config on a router as we do they route their  
traffic through a Unix box.  Below is a short description of their  

   "We’ve been able to hold our utilization very close to our base  
allocation using a home-grown Linux based solution.  It enforces user  
quotas which adjust automatically based on how close we are to our  
base.  It also does firewalling, WWW and DNS caching, forces MAC  
address registration, and can be used to block an individual’s internet  
access in the event of a policy violation."

Bruce Curtis                     	bruce.curtis at ndsu.nodak.edu
Certified NetAnalyst II				701-231-8527
North Dakota State University		

More information about the unisog mailing list