On 16-02-02 04:34 PM, Rainer Duffner wrote:
Am 02.02.2016 um 22:28 schrieb Ugo Bellavance <[email protected]>:
Hi,
We are thinking about limiting the amount of connections that can be open per
IP address. We want to avoid getting hammered on a web service that is used by
some clients. We've discovered that they sometimes open just as many http
connections that they can to perform http queries. We will ask them to change
their application to limit the number of concurrent queries, but we're looking
for a way to limit the abusers on our side as well. We guess that we can do
that on the web server side, but I think that the pfSense may be of help.
In our situation, since they are mostly "legitimate" queries, I don't think
that there would be a difference between using the Maximum number of established
connections or Maximum number of state entries.
I have two questions:
I think that when an IP address hits the limit, the packets are dropped by the
default rule, right?
I did some testing and it looks like the tcp connection is not really closed as
soon as the http query is complete, so even if an application sends us queries
in a serial mode (one http query at the time), many queries would get blocked
if I set the Maximum number of established connections per host to 1. My goal
is not to set that to 1 but I just want to illustrate the fact that if I tell
the client to limit the # of concurrent http query to 100, for example, I can't
simply set the parameter to 100. According to my tests, 50 threads can get the
connection count to around 4 000.
They can use HTTP-pipelining:
https://en.wikipedia.org/wiki/HTTP_pipelining
So, limiting at the firewall-level is pretty much pointless for somebody who
wants to abuse a service.
In fact, they don't want to abuse the service, they just wrote their
application to fit their need, without considering the impact of its
use. Their application typically sends less than 1 hit/s but in some
cases (when they loose internet connectivity for a while), they send all
their backlog of missed queries at once (1000-2000).
You’ve already asked them to stop doing this.
Not yet, actually. We are going to, but we are also looking for a way
to enforce it.
Maybe put nginx in front of the web service and use limit_conn and limit_req
directives?
I already have an apache httpd 2.2 reverse proxy in front of it, but I
didn't check yet what kind of modules I could use there.
Thanks,
Ugo
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
