Under Attack: Bandwidth throttling on 5.2.1?

Panagiotis pnestora at ee.duth.gr
Thu Sep 14 12:53:22 PDT 2006 

Chris wrote:

> This is probably going to tax the memory. I'm sorry in advance.
>
> We observed 2 hangs and 3 crashes in the last 5 hours and finally  
> after looking at the nature of the traffic, it appears to be little  
> infested windows spybots from all over targeting our forums to  
> attempt to reply to all messages with gambling and other spam. The  
> referer in every case is a few obvious spam sites. We measured 33  
> pages per second and all invoking perl (well you can image the load).  
> It's killed the system in several was I've never even seen. We  
> shutdown on purpose for the first time in years which is pretty bad  
> for business. I'm readying the quad opteron tyan to take down and  
> shove in it's place since the T1 can't swamp it, but still building.  
> The machine is a dual 3.0 xeon with 4G and Intel 1000/Pro on 5.2.1  
> with IPFW enabled. If I can configure throttling on this old a  
> system, we could come back up I think and try ride out the attack.  
> I've never done this before but in an earlier thread I saw where you  
> configure a pipe such as:
>
> ipfw pipe 1 config bw 256Kbit/s
> ipfw add pipe 1 tcp from 192.168.1.2 80
>
> then set sysctl.conf
> net.inet.ip.fw.one_pass=1
>
> Is that is all that's necessary for this old a system or is there  
> anything else. If this is correct, would this keep this fellow from  
> crashing

To use traffic shaping with IPFW you have to compile the kernel with the 
following options:

options         DUMMYNET
options         HZ=1000

then you can add some lines like these to make your bandwidth limit to work:

#first flush all the previous pipes
ipfw -q -f pipe flush

ipfw pipe 1 config bw 256Kbit/s
ipfw add pipe 1 tcp from any to any

usually we use two pipes, one for download and one for upload so you can 
try something like this:


#first flush all the previous pipes
ipfw -q -f pipe flush

#upload bandwidth+download bandwidth=total bandwidth
#pipe for upload
ipfw pipe 1 config bw 128Kbit/s
#pipe for download
ipfw pipe 2 config bw 256Kbit/s

server_port="20,21,80,443,995,...,etc"
internal_network="192.168.0.0"

#config upload
ipfw add pipe 1 tcp from $internal_network to any $server_port
#config upload
ipfw add pipe 2 tcp from any $server_port to $internal_network

The variables "server_port" and "internal_network" are examples of 
course... :-)
If you are running natd on your machine the you have to put rules AFTER 
the divert natd rule like these:
ipfw add pipe 1 tcp from {external_ip} to any $server_port
ipfw add pipe 2 tcp from any $server_port to $internal_network

The net.inet.ip.fw.one_pass=1 must be set if you want your traffic to 
pass from pipes and not continue at next rules....

Sorry for my bad english....

More information about the freebsd-questions mailing list