Apologies in advance, but I had seen a question similar to this a few months
back but I can't seem to find it in my archives.
I was after some samples or practical suggestion in regard to Rate Limiting
and Dynamically Denying Services to abusers on a per VIP basis.
I have had a look at:
29.2. Limiting number of clients connecting to LVS
And:
http://www.linuxvirtualserver.org/docs/defense.html
Specifically, we are running web based competition entries (eg. type in your
three bar codes) out of our LVS cluster and want to limit those who might
construct "bots" to auto-enter. The application is structured so that you have
to click through multiple pages and enter a value that is represented in a
dynamically generated PNG.
I would like to:
1. rate limit on each VIP (we can potentially do this at the firewall)
2. ban a source ip if it goes beyond a certain number
"requests-per-time-interval"
3. dynamically take a vip offline if it goes beyond a certain number of
"requests-per-time-interval"
3. toss all "illegal requests" - eg. codered, nimda etc.
Perhaps a combination of iptables, QoS, SNORT etc. would do the job??
Any suggestions or pointers would be gratefully received.
Thanks in advance,
James
|