Anti-DoS QoS with altq

Hi,

I'm wondering how to make altq use 2 queues defined as
follow
- the first one is the "attackers" queue, and
should be defined by a 
static file containing ip adresses, filled by another
program. RED 
should be used on this queue (every client in this queue
should have the 
same priority)
- the second one is the "normal clients" queue,
which should have the 
best effort possible (again, every client in this queue
should have the 
same priority) ; i don't know which scheduler to use...

The only traffic considered (as of now) is web traffic. The
end purpose 
of this is anti-DoS QoS on web server (80 and 8080 at the
same time). I 
have a running webserver and traffic generator, and a
freebsd 6.1 
gateway with custom kernel (altq + pf options enabled).

webserver   -100 MB link -      gateway     - 1 Gb link -   
traffic 
generator
machine 1                                  freebsd          
            
          machine 1

my purpose is to know the best combination in order to get
the best 
service possible for normal clients and the rest of bandwith
should go 
to attackers (if any of them are false positives).

I don't know how to manage the
- the ip file part (altq-file interconnection)
- the schedulers part: i'm gonna test them (httperf), are
there some 
altq-dedicated benchmarking tools (which, ideally would
change QoS 
options sequentially)?
- how to benchmark.... store and plot the results... (i
guess it will be 
shell scripting, watch grep wc pipes etc... )

Thanks in advance for your help. If there is an IRC channel
or anybody 
ok to discuss with me (messaging or mail), please contact
me.

Regards,

Florent
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"

On 6/22/06, Florent Thiery <Florent.Thieryint-evry.fr> wrote:
> I'm wondering how to make altq use 2 queues defined as
follow
> - the first one is the "attackers" queue,
and should be defined by a
> static file containing ip adresses, filled by another
program. RED
> should be used on this queue (every client in this
queue should have the
> same priority)

table <attackers> file
pass in quick on $wan_if from <attackers> to
$web_server port { 80
8080 } queue attacks

Then write a small script to add them to the attackers
table.

> - the second one is the "normal clients"
queue, which should have the
> best effort possible (again, every client in this queue
should have the
> same priority) ; i don't know which scheduler to
use...

pass in quick on $wan_if from any to $web_server port { 80
8080 } queue normal

> I don't know how to manage the
> - the ip file part (altq-file interconnection)

altq on $wan_if priq bandwidth $upstream_bw queue {
attacker, normal }
queue attacker priority 0 priq(red)
queue normal priority 7 priq(default)

Note that you can only queue on outbound connections.
Well, you can assign queues on inbound packets, but it only
matters when they're queued up to go out (inbound packets
get processed almost immediately if the CPU is fast enough).

> - how to benchmark.... store and plot the results... (i
guess it will be
> shell scripting, watch grep wc pipes etc... )

gnuplot

> Thanks in advance for your help. If there is an IRC
channel or anybody
> ok to discuss with me (messaging or mail), please
contact me.

I charge reasonable rates, but bear in mind that firewall
rules can
take a long time to debug and tweak and tune, and I charge
by the
hour.
-- 
"I sometimes have delusions of adequacy" --
Woody Allen
Security "guru" for rent or hire - http://www.li
ghtconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098
0C55 1484
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"