Link to home
Create AccountLog in
Avatar of netpass
netpass

asked on

How to limit number of routes per ip

I have a Linux firewall box, sometimes found many "dst cache overflow". There are some ways to overcome this, e.g. increase /proc/sys/net/ipv4/route/max_size or set secret_interval to a lower value. However, these do not solve the root cause of the problem. I found the root cause is some users connect to many many destinations in a short period (may be BT, virus, etc.). I can list the routes by "route -Cn".

I want to know is there any means to limit number of routes per IP? Solutions, comments, ideas, directions are welcome.
Avatar of Rowley
Rowley
Flag of United Kingdom of Great Britain and Northern Ireland image

Not done any of this myself but a quick google for "linux qos routing" or "linux policy routing". There's also a post here on EE that has some decent info:

https://www.experts-exchange.com/questions/24124703/Linux-as-QoS-Router.html

hth.
You can limit the number of connections in a period of time with recent module in iptables.
http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks/
http://www.e18.physik.tu-muenchen.de/~tnagel/ipt_recent/
Avatar of Arty K
netpass, hi.
> There are some ways to overcome this, e.g. increase /proc/sys/net/ipv4/route/max_size or set secret_interval to a lower value. However, these do not solve the root cause of the problem.

Really the root cause may be heavy network load of your server (servers/users behind firewall), so that's a normal solution.

How much 'route per IP' do you think is 'the maximum' and how many total 'ip cache routes' do you think is OK? There is no such control as 'ip route cache entries per IP' since all IPs are equal for routing process and you have as many ip route cache entries as IPs you (or users behind firewall) are trying to access.

I agree with Blaz, you may try to use 'recent' module (in PREROUTING chain), but also you may try to modify another route cache control parameters:
 'gc_interval'  or 'gc_thresh'
http://www.linuxinsight.com/proc_sys_net_ipv4_route_gc_interval.html
http://www.linuxinsight.com/proc_sys_net_ipv4_route_gc_thresh.html

Avatar of netpass
netpass

ASKER

Thanks for your suggestions.

However, both gc_interval and gc_thresh are applied to the whole box, i.e. both normal and abnormal users will be affected. If I only want to prevent thoses abnormal users (making many new connections) from polluting the routing table, any suggestions?

The "recent" modules may be the direction. However, don't know how to set the rule for "dropping new connection if last new connection is made < x second"
Did you look at the links I posted about recent iptables module?

For example:

iptables -N RATELIMIT
iptables -A PREROUTING state state NEW -j RATELIMIT
iptables -A RATELIMIT -m recent set name RateLimit
iptables -A RATELIMIT -m recent update seconds 100 hitcount 20 name RateLimit -j DROP

This rules will limit that there must be less than 20 new connections from any host in a time window of 100 seconds.
Avatar of netpass

ASKER

Thanks, I will try and advise the result
Avatar of netpass

ASKER

After verification, it works. By limiting frequency of "NEW" connections, I can limit the rate of new routes added in route cache. Anyway, want to know how to define "NEW" as it seems it is quite different for different protocols, e.g. icmp, udp, tcp, etc. For example, in ICMP, each ping is a "NEW" session even to the same desination! In TCP, each TCP session is a "NEW" session.

Can anyone help to clarify. Thanks in advance
ASKER CERTIFIED SOLUTION
Avatar of Blaz
Blaz
Flag of Slovenia image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of netpass

ASKER

Thanks for all comments