[unisog] High speed firewalls - Connections per second not bi ts per second

Gary MacIsaac gary at psych.ubc.ca
Tue Feb 22 20:54:53 GMT 2005

Getchell, Adam said:
>> I seem to recall someone adding a connection rate limiting
>> per source IP on some firewall product but I can't recall
>> which one.  The problem you're having is that the 1k cps is
>> shared amongst all your users rather than giving an
>> individual IP his own right to kill his own connection.  This
>> has got to be a common problem for fw vendors these days.
>> In quick googling, I've seen hints that iptables and maybe
>> very new OpenBSD/pf support them.  Surely some commercial
>> product also contains that feature.
> Sure, it's not really a problem using OpenBSD/pf.
> For example, the rule:
> pass in on $ext_if inet proto tcp from any to port = www \
> 	flags S/SA  synproxy state (source-track rule, max-src-conn 1000, \
> 	max-src-conn-rate 1000/5, overload <bad> flush global, src.track 5)
> Completes the 3-way handshake on the firewall before passing the
> connection
> to the host (synproxy state)
> Allows a 1000 maximum connections from a given source at a rate of 1000
> per
> 5 seconds (max-src-conn 1000, max-src-conn-rate 1000/5), passes hosts
> which
> exceed these bounds into the <bad> table and flushes all connections
> originating from that host (overload <bad> flush global), and retains
> source
> tracking entries for 5 seconds after the last state expires (src.track 5).
> Combine this with adaptive state table entries and you'll ensure that you
> don't run out of states.
>> Chris


Does this mean that if a particular source on a subnet just cycles through
spoofing source addresses within that subnet at high rates, it would be
able to force all the IP addresses on that subnet into the <bad> table for
an extended period?


Gary MacIsaac
Systems and Network Manager
Dept. of Psychology
University of British Columbia

More information about the unisog mailing list