Re: Limiting simultaneous requests from a single ip

To:	lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject:	Re: Limiting simultaneous requests from a single ip
From:	Malcolm Turnbull <Malcolm.Turnbull@xxxxxxxxxxxx>
Date:	Wed, 07 May 2003 08:53:04 +0100

Andres Tello Abrego wrote:

As far I know, limit can work with -d flag..

Um yeah but I've taken the assumption that he actualy meant rate limitby source ip rather than what he said :


>>Is there a way to limit the number of active connections to a single ip
>>>address using ipchains?

'cause hes worried about denail of service from over active proxy servers.

If he used -d then any time a proxy spooled a thousand connections itwould still take his site down 'cause the single limit -d rule would bebroken.

I keep a list of poxy proxy source ips and rate limit them to 10connections per minute.


On Wed, 7 May 2003, Malcolm Turnbull wrote:

Neil,

I've had this problem too.. caused by bastard proxies that spool
thousands of connections.

iptables limit will only work if you specify the source ip address.

their is however an addon module for netfilter called iplimit which will
limit connections from ANY source ip address, i.e. it has its own state
table.

I haven't tested it yet though.


Neil Sandow wrote:

I'm running an LVS (ipvsadm v1.11 2000/06/16 (compiled with popt and IPVS
v0.9.14)) on a Mandrake system (Linux version 2.2.17-21mdksecure ) With 7
realservers behind it.  It's been running for > 2 years and balances the
load quite nicely.

Occassionaly I get a ton of requests from a single ip address that can
really bog things down.  This AM I had > 2500 requests within a 7 minute
period for a page that has lots of ssi's running cgi's.   The cpu load on
ALL realservers skyrocketed and effectively blocked access to the site for
about 5-10 minutes.

Is there a way to limit the number of active connections to a single ip
address using ipchains?    If this is possible using iptables, but not
ipchains, I would upgrade the server to resolve this problem which seems
to be happening several time per week.

Thanks! -Neil




                              ===================
                       Neil Sandow, Pharm.D. rx@xxxxxxxxxx
                    http://rxlist.com - The Internet Drug Index


_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://www.in-addr.de/mailman/listinfo/lvs-users



--
Regards,

Malcolm Turnbull.
Crocus.co.uk Ltd
01344 629661
07715 770523

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://www.in-addr.de/mailman/listinfo/lvs-users



--


Regards,

Malcolm Turnbull.

Crocus.co.uk Ltd
01344 629629
http://www.crocus.co.uk/

<Prev in Thread]	Current Thread	[Next in Thread>
Limiting simultaneous requests from a single ip, Neil Sandow Re: Limiting simultaneous requests from a single ip, Joseph Mack Re: Limiting simultaneous requests from a single ip, Andres Tello Abrego Re: Limiting simultaneous requests from a single ip, Malcolm Turnbull Re: Limiting simultaneous requests from a single ip, Andres Tello Abrego Re: Limiting simultaneous requests from a single ip, Malcolm Turnbull <=

Previous by Date:	Re: question regarding DR and uploads, Malcolm Turnbull
Next by Date:	Re: Linux kernel small forwarding perf (was: RE: Small packets handling : LVS-DR vs LVS-NAT), Julian Anastasov
Previous by Thread:	Re: Limiting simultaneous requests from a single ip, Andres Tello Abrego
Next by Thread:	Linux kernel small forwarding perf (was: RE: Small packets handling : LVS-DR vs LVS-NAT), Alexandre Cassen
Indexes:	[Date] [Thread] [Top] [All Lists]