# PF/ALTQ limiting throughput per src ip



## chrcol (Nov 2, 2012)

Ok I am looking for what seems to be a missing feature but I am hoping I am wrong.

I can limit total bandwidth on a port/ip. As well as limit on a interface.  What I want to do is have ALTQ/PF limit per connecting ip, so not a total limit but per connection.

The reason is this.

I have a unusual attack on a varnish server, its not an attack that utilizes many connections in fact its just one single connection, like sloworis but this also uses high bandwidth, randomly maybe once every 2-3 days we get a ip connecting to the varnish server, pulling 300-500Mbit/sec of bandwidth in a single connection for 1-2 minutes and then disconnecting.  I am concerned there is some kind of vulnerability in varnish as well since it doesn't host any large files and they doing this via a single connection not via multiple connections, I have not found any options in varnish to cutoff established connections and I assume if I do it at the OS level keepalive packets would reset the counter.

So for now what I want to do is to add a throttle per connection eg. max 20Mbit/sec, which should at least for now stop them pulling so much bandwidth.


----------



## SirDice (Nov 2, 2012)

Instead of trying to deal with the symptoms I would suggest finding the cause.


----------



## chrcol (Nov 5, 2012)

we have.

I am asking the firewall question. Doesn't mean we haven't been trying to find the cause, although its likely a competitor as it's a commercial site, but haven't been able to find the vulnerability in varnish how this is been done.

So we need a firewall solution.

Your answer suggests PF cannot do what I want right?

looks like the good old dummynet can do this.


----------

