netpass
asked on
How to limit number of routes per ip
I have a Linux firewall box, sometimes found many "dst cache overflow". There are some ways to overcome this, e.g. increase /proc/sys/net/ipv4/route/m ax_size or set secret_interval to a lower value. However, these do not solve the root cause of the problem. I found the root cause is some users connect to many many destinations in a short period (may be BT, virus, etc.). I can list the routes by "route -Cn".
I want to know is there any means to limit number of routes per IP? Solutions, comments, ideas, directions are welcome.
I want to know is there any means to limit number of routes per IP? Solutions, comments, ideas, directions are welcome.
You can limit the number of connections in a period of time with recent module in iptables.
http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks/
http://www.e18.physik.tu-muenchen.de/~tnagel/ipt_recent/
http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks/
http://www.e18.physik.tu-muenchen.de/~tnagel/ipt_recent/
netpass, hi.
> There are some ways to overcome this, e.g. increase /proc/sys/net/ipv4/route/m ax_size or set secret_interval to a lower value. However, these do not solve the root cause of the problem.
Really the root cause may be heavy network load of your server (servers/users behind firewall), so that's a normal solution.
How much 'route per IP' do you think is 'the maximum' and how many total 'ip cache routes' do you think is OK? There is no such control as 'ip route cache entries per IP' since all IPs are equal for routing process and you have as many ip route cache entries as IPs you (or users behind firewall) are trying to access.
I agree with Blaz, you may try to use 'recent' module (in PREROUTING chain), but also you may try to modify another route cache control parameters:
'gc_interval' or 'gc_thresh'
http://www.linuxinsight.com/proc_sys_net_ipv4_route_gc_interval.html
http://www.linuxinsight.com/proc_sys_net_ipv4_route_gc_thresh.html
> There are some ways to overcome this, e.g. increase /proc/sys/net/ipv4/route/m
Really the root cause may be heavy network load of your server (servers/users behind firewall), so that's a normal solution.
How much 'route per IP' do you think is 'the maximum' and how many total 'ip cache routes' do you think is OK? There is no such control as 'ip route cache entries per IP' since all IPs are equal for routing process and you have as many ip route cache entries as IPs you (or users behind firewall) are trying to access.
I agree with Blaz, you may try to use 'recent' module (in PREROUTING chain), but also you may try to modify another route cache control parameters:
'gc_interval' or 'gc_thresh'
http://www.linuxinsight.com/proc_sys_net_ipv4_route_gc_interval.html
http://www.linuxinsight.com/proc_sys_net_ipv4_route_gc_thresh.html
ASKER
Thanks for your suggestions.
However, both gc_interval and gc_thresh are applied to the whole box, i.e. both normal and abnormal users will be affected. If I only want to prevent thoses abnormal users (making many new connections) from polluting the routing table, any suggestions?
The "recent" modules may be the direction. However, don't know how to set the rule for "dropping new connection if last new connection is made < x second"
However, both gc_interval and gc_thresh are applied to the whole box, i.e. both normal and abnormal users will be affected. If I only want to prevent thoses abnormal users (making many new connections) from polluting the routing table, any suggestions?
The "recent" modules may be the direction. However, don't know how to set the rule for "dropping new connection if last new connection is made < x second"
Did you look at the links I posted about recent iptables module?
For example:
iptables -N RATELIMIT
iptables -A PREROUTING state state NEW -j RATELIMIT
iptables -A RATELIMIT -m recent set name RateLimit
iptables -A RATELIMIT -m recent update seconds 100 hitcount 20 name RateLimit -j DROP
This rules will limit that there must be less than 20 new connections from any host in a time window of 100 seconds.
For example:
iptables -N RATELIMIT
iptables -A PREROUTING state state NEW -j RATELIMIT
iptables -A RATELIMIT -m recent set name RateLimit
iptables -A RATELIMIT -m recent update seconds 100 hitcount 20 name RateLimit -j DROP
This rules will limit that there must be less than 20 new connections from any host in a time window of 100 seconds.
ASKER
Thanks, I will try and advise the result
ASKER
After verification, it works. By limiting frequency of "NEW" connections, I can limit the rate of new routes added in route cache. Anyway, want to know how to define "NEW" as it seems it is quite different for different protocols, e.g. icmp, udp, tcp, etc. For example, in ICMP, each ping is a "NEW" session even to the same desination! In TCP, each TCP session is a "NEW" session.
Can anyone help to clarify. Thanks in advance
Can anyone help to clarify. Thanks in advance
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Thanks for all comments
https://www.experts-exchange.com/questions/24124703/Linux-as-QoS-Router.html
hth.