2

I have a situation where a server makes lots of requests from big webservers all at the same time. Currently, I have not control over the amount of requests or the rate of the requests from the application that does this. The responses from these webservers is more than the internet line can handle. (Basically, we are launching a DoS on ourselves).

I am going to get push to get this fixed at the application level, but for the time being, is there anyway I can use traffic shaping on the Linux server to control this? I know I can only shape outbound traffic, but maybe there is a way I can slow the TCP responses so the other side will detect congestion and this will help my situation? If there is anything like this with tc, what might the configuration look like?

The idea is that the traffic control might help me control which packets get dropped before they reach my router.

Kyle Brandt
  • 82,107
  • 71
  • 302
  • 444

3 Answers3

3

You should be able to rate limit tcp connections, if the remote servers are obeying tcp packet transmit and receive rules then you should be able to rate limit to avoid a dos.

I've had good success with HTB http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm

if your more familiar with cisco, then you could implement a qos policy on your gateway rather than on the server itself

using qos is a better solution than iptables --limit, it makes sure that available bandwidth is use effectively. No streams will be starved and each will be treated fairly.

HTB is quite advanced, you can use some of the other qos methods first to get a handle on how qos works. It's easy to write qos rules, but it's much harder to prove they are actually doing what you want is all use cases.

The Unix Janitor
  • 2,388
  • 14
  • 13
2

I think you could use iptables with "--limit", or maybe hashlimit (or with recent --seconds --hitcount). [Of course only as a temporary solution.]

Chris Lercher
  • 3,982
  • 9
  • 34
  • 41
0

How about using trickle? It can also be run as trickled for global bandwidth shaping http://www.linux.com/archive/feed/61293 (actually just discovered this myself :-)

Chris Lercher
  • 3,982
  • 9
  • 34
  • 41