DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 7th October 2008
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Question Limit Bandwidth (not throughput)

Hello,

I am wondering if anyone has any insight as to how you can limit the total bandwidth used by a particular IP/host...etc? I know PF/ALTQ can prioritize and limit the total usuable connection speed but I am looking to do something more like a ratio once you reach X you are cut off. And I suppose in my case with the bandwidth you would be cut off for Y amount of time.

Is there any simple way of doing this? I have yet to see any software (knowingly) to do this on OpenBSD.

Thanks!

P.S. I appologize if PF is able to do this. Please point me to the topic in the man page if doable.
Reply With Quote
  #2   (View Single Post)  
Old 8th October 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

If you want to shut off a connection after so many bytes, you'll have to do it via an manual examination of PF state tables. This might be as simple as a cron job that examines the output of # pfctl -vs state.
I used to do this with a cron job, to limit script kiddies from looping stupid ftpd attacks on "User Administrator" or other common userids that did not exist. I found a simple modification to ftpd can drop those sessions, and that's a much easier solution.

I submitted it as a patch last month. It was partially accepted, but what was accepted did not stop kiddie scripts from looping, so I still have a slightly modified ftpd.
PF can handle state creations via stateful tracking options, but it only direct limits already established and valid sessions -- not killed via stateful "overload flush" -- via traffic shaping from queue management. You have choices here, such as simple packet priority, bps, or percentage of bps of a parent queue.

Last edited by jggimi; 8th October 2008 at 12:49 AM. Reason: visual clarity, typos
Reply With Quote
  #3   (View Single Post)  
Old 8th October 2008
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Default

Hello again jggimi,

Interesting. State would not be 100% accurate though right? For example if I were to reboot the system the states logs would be reset to 0 I presume?

I would be interested in seeing any example how to implement this none the less though.

It would be nice if there were a more exact way of handling this either through another program or if PF/ALTQ were expanded to support it.

pass in on.... from $host ... port ... max bps number/days or something.

Anyway thank you for your input.
Reply With Quote
  #4   (View Single Post)  
Old 8th October 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

Rebooting a router will obviously kill any state table within it. Even if a future PF development hooked bytes-transferred into stateful tracking, rebooting starts from scratch. As it does today with all of the stateful tracking knobs.

When I had a cron job tracking bytes transferred, it was a simple perl script that used the output from sysutils/pftop. The state table data from pftop are no longer accurate, as it has not caught up with all PF changes. This is why I recommended using pfctl instead -- it can be trusted to stay in sync with PF changes.

From memory, the script ran every 5 minutes, looked for inbound ftp control sessions (port 21) that had surpassed a total bytes transferred threshold (300KB). When found, the script would:
  1. add the offending IP address to a PF table of blocked addresses
  2. kill the state (dropping the session)
  3. append the IP address to the flat-file backup of the PF table (for restoring the table on reboot)
  4. add a record of the block to a DBMS table with timestamp, IP address, and reason
  5. send me an e-mail.
Reply With Quote
  #5   (View Single Post)  
Old 9th October 2008
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Default

Awesome

Now that you wrote it out it make a little more sense! Haha. I will play around with this idea.

Thanks a lot for your input. Good luck with that OBSD patch submission.
Reply With Quote
  #6   (View Single Post)  
Old 9th October 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

Already submitted; already partially accepted.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Disk I/O Throughput m4rc OpenBSD General 5 10th July 2008 02:50 AM
limit use memory by Apache mfaridi FreeBSD Security 4 8th July 2008 05:59 PM
Approaching the limit on PV entries ccc FreeBSD General 6 14th June 2008 06:58 PM
bandwidth !!! sybergod OpenBSD Security 1 23rd May 2008 09:10 AM


All times are GMT. The time now is 02:07 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick