Re: Way to find most active IPs for rate limiting with pf

2020-08-07 Thread Stuart Henderson 
On 2020-08-06, Alan McKay  wrote:
> So I want to implement rate limiting, and to determine a reasonable
> rate based on current traffic patterns I'd like to be able to figure
> out which source IPs are generating the most connections and at what
> rate.
>
> Is there a way to do that?

Lots of ways depending on what exactly you want

- "statistics" menu in wireshark

- ntopng is relatively simple to setup for a quick check though
it is a bit unreliable for running long-term (some protocol parsers are not
in great shape and liable to crash)

- netflow - openbsd's built-in implementation pflow(4) works with PF -
and a collector/UI such as nfdump+nfsen (in ports) or elastiflow (not in
ports, haven't tried running it, looks nice though)

- pmacct (in ports, slightly old version as newer ones need a less
ancient libpcap)

- darkstat (in ports)

- probably more in ports

Re: Way to find most active IPs for rate limiting with pf

2020-08-06 Thread philippe aubry 
Hi all

May be that can help, something like this :

pass in quick on $ext_if proto tcp from any to ($ext_if) port $tcp_services
(max-src-conn 50, max-src-conn-rate 5/5, overload  flush global)
I use it to black list ip that do to many ssh or other tcp services
simultaneous connections, but in your case you can get the ip source and do
something with it like limit the bandwidth with queueing.

max-src-conn 50 : this is the number of simultaneous connections you allow
from one host.
max-src-conn 10/5 : the rate of new connections allowed from any single
host here 10 connections per 5 seconds

>From https://man.openbsd.org/pf.conf#max-pkt-rate
*Queueing*  Queueing
provides rule-based bandwidth control.
max-pkt-rate 
number/seconds Measure
the rate of packets matching the rule and states created by it. When the
specified rate is exceeded, the rule stops matching. Only packets in the
direction in which the state was created are considered, so that typically
requests are counted and replies are not. For example, to pass up to 100
ICMP packets per 10 seconds:

block in proto icmp
pass in proto icmp max-pkt-rate 100/10

When the rate is exceeded, all ICMP is blocked until the rate falls below
100 per 10 seconds again.max-src-conn
 number Limits the maximum
number of simultaneous TCP connections which have completed the 3-way
handshake that a single host can make. max-src-conn-rate
 number/seconds Limit
the rate of new connections over a time interval. The connection rate is an
approximation calculated as a moving average.

Regards

Philippe

Le jeu. 6 août 2020 à 17:20, Jordan Geoghegan  a
écrit :

>
>
> On 2020-08-06 13:46, Alan McKay wrote:
> > So I want to implement rate limiting, and to determine a reasonable
> > rate based on current traffic patterns I'd like to be able to figure
> > out which source IPs are generating the most connections and at what
> > rate.
> >
> > Is there a way to do that?
> >
> >
>
> There is likely a better way to do it, but a quick and dirty method to
> check for number of states for an IP address would be something like:
>
>   $  doas pfctl -s state | grep -Fc "192.0.2.4"
>
> or if you wanted to check for the number of tcp or udp states specifically:
>
>$  doas pfctl -s state | grep "^all tcp" | grep -Fc "192.0.2.4"
>
>
> Regards,
>
> Jordan
>
>

Re: Way to find most active IPs for rate limiting with pf

2020-08-06 Thread Jordan Geoghegan 




On 2020-08-06 13:46, Alan McKay wrote:

So I want to implement rate limiting, and to determine a reasonable
rate based on current traffic patterns I'd like to be able to figure
out which source IPs are generating the most connections and at what
rate.

Is there a way to do that?




There is likely a better way to do it, but a quick and dirty method to 
check for number of states for an IP address would be something like:


 $  doas pfctl -s state | grep -Fc "192.0.2.4"

or if you wanted to check for the number of tcp or udp states specifically:

  $  doas pfctl -s state | grep "^all tcp" | grep -Fc "192.0.2.4"


Regards,

Jordan

Way to find most active IPs for rate limiting with pf

2020-08-06 Thread Alan McKay 
So I want to implement rate limiting, and to determine a reasonable
rate based on current traffic patterns I'd like to be able to figure
out which source IPs are generating the most connections and at what
rate.

Is there a way to do that?


-- 
"You should sit in nature for 20 minutes a day.
 Unless you are busy, then you should sit for an hour"
 - Zen Proverb