[unisog] High speed firewalls - Connections per second not bi
ts per second
gary at psych.ubc.ca
Tue Feb 22 20:54:53 GMT 2005
Getchell, Adam said:
>> I seem to recall someone adding a connection rate limiting
>> per source IP on some firewall product but I can't recall
>> which one. The problem you're having is that the 1k cps is
>> shared amongst all your users rather than giving an
>> individual IP his own right to kill his own connection. This
>> has got to be a common problem for fw vendors these days.
>> In quick googling, I've seen hints that iptables and maybe
>> very new OpenBSD/pf support them. Surely some commercial
>> product also contains that feature.
> Sure, it's not really a problem using OpenBSD/pf.
> For example, the rule:
> pass in on $ext_if inet proto tcp from any to 10.0.0.1 port = www \
> flags S/SA synproxy state (source-track rule, max-src-conn 1000, \
> max-src-conn-rate 1000/5, overload <bad> flush global, src.track 5)
> Completes the 3-way handshake on the firewall before passing the
> to the host (synproxy state)
> Allows a 1000 maximum connections from a given source at a rate of 1000
> 5 seconds (max-src-conn 1000, max-src-conn-rate 1000/5), passes hosts
> exceed these bounds into the <bad> table and flushes all connections
> originating from that host (overload <bad> flush global), and retains
> tracking entries for 5 seconds after the last state expires (src.track 5).
> Combine this with adaptive state table entries and you'll ensure that you
> don't run out of states.
Does this mean that if a particular source on a subnet just cycles through
spoofing source addresses within that subnet at high rates, it would be
able to force all the IP addresses on that subnet into the <bad> table for
an extended period?
Systems and Network Manager
Dept. of Psychology
University of British Columbia
More information about the unisog