Ratelimit

From Atomicorp Wiki
Revision as of 17:51, 12 September 2013 by Mshinn (Talk | contribs)

Jump to: navigation, search

Introduction

ASL 4 introduces rate limit of TCP and UDP ports. ASL allows you to define the rate at which connections may occur to ports, as well as the maximum number of connections that can be open to a TCP port. This can be used to help with SYN and UDP floods.

For TCP you can define:

  • Per port, rate of connections from a single IP
  • Maxmum concurrent connections to the port (for all IPs)

For UDP

  • Per port, rate of connections from a single IP

Configuration

First you will need to configure the ports to protect, the rate per port, and the maximum number of concurrent connections for each protected TCP port. The engine uses two files, one for TCP ports, one for UDP ports. The files are:

/etc/asl/firewall/rate-limit-tcp

/etc/asl/firewall/rate-limit-udp

The format for the /etc/asl/firewall/rate-limit-tcp file is one line, per port:

port:rate:max_concurrent_connections

Example:

80:10:100
443:10:100

The format for the /etc/asl/firewall/rate-limit-udp file is one line, per port:

port:rate

Example:

53:100
2049:100

Note: UDP is connectionless, so there are no concurrent connections.

Enabling

Once you have rate limiting configured, you will need to enable it. Please see this option to enable the engine:

https://www.atomicorp.com/wiki/index.php/ASL_firewall#FW_RATE_LIMIT

And then follow the instructions in this document to configure rate limiting for your system.

Personal tools