Results 1 to 7 of 7
  1. #1
    Join Date
    Feb 2008
    Posts
    829

    traffic shaping and dos protection in linux

    Is there a way to use traffic shaping in Linux? Like limit traffic to certain port, set priorities etc. Like ex: I'd want to set FTP to use max of 1mbps, http max of 80mbps, and set total to 90mbps.

    Also is there ways to setup dos protection within linux? What I'd basically want is if it detects a dos, it either turns off the server, or does some other action that would cut it off either until I take action or for a set amount of time. Think turning off would be only solution since if I just drop packets I'd still be paying for that traffic.

    Basically I want to ensure that if I get a DoS I'm not stuck paying insane bandwidth overcharges. I rather have a few days of downtime to deal with, then a few thousand dollars to pay and me having to declare bankruptcy and sell property etc...

  2. #2
    Join Date
    Dec 2006
    Location
    London
    Posts
    660
    Yes. Linux had an advanced traffic shaping ability. I've used it at home to limit the outbound bandwidth to 95% of maximum, prioritise ACK packets and SSH and cause filesharing traffic to be bottom of the priority list. It's pretty clever but a little complicated to set up. http://lartc.org/ (Chapter 9 onwards) has a good amount of information on how to do this but it's a little dry. Use information gathered from there to look for examples on Google.
    GigaTux, Value Linux Hosting
    UK, US and Germany based Xen VPS. Reliability is key! Quick support response and 99.9% SLA.

  3. #3
    Join Date
    Mar 2004
    Location
    London, UK
    Posts
    285
    I am amazed this feature is not part of WHM/cPanel (or an add-on) yet.

    - Vince

  4. #4
    Quote Originally Posted by hostingvince View Post
    I am amazed this feature is not part of WHM/cPanel (or an add-on) yet.

    - Vince
    What has been mentioned in the first post is too much to ask from cPanel/WHM, but if you just need a firewall that somehow integrates with cPanel/WHM you can check csf/lfd fron configserver.com

    You can manage it through WHM

  5. #5
    Quote Originally Posted by Red Squirrel View Post
    Basically I want to ensure that if I get a DoS I'm not stuck paying insane bandwidth overcharges. I rather have a few days of downtime to deal with, then a few thousand dollars to pay and me having to declare bankruptcy and sell property etc...
    You can use an external solution as your firewall and forget about the server itself as a firewall.

    You can hire someone to monitor bandwidth and server status to turn it off on the proper time.

    You can get someone to write a code for you that fetches bandwidth usage and along with a number of other factors would decide to issue the "poweroff" or trigger an alarm for an admin to do so.

  6. #6
    Join Date
    Feb 2008
    Posts
    829
    External device is not really an option on a leased server though, unless I want to spend more money per month. Trying to keep cost as low as possible so that I can make a small profit.

    Though guess a monitor app could work too, though how do I check how much bandwidth is being used?

  7. #7
    Join Date
    Nov 2002
    Location
    Bay Area, California
    Posts
    309
    There is great beauty in the things that you can do on linux systems to shape and control traffic, however you must be aware that those things are only useful once the traffic touches your system.

    This means that you could use these tools to control your outbound traffic, which might help control the size of your bills, but they are almost completely useless in controlling inbound traffic because by the time it reaches your machine it has already passed through your provider's "toll booth".

    Even turning down your interface may not help you with billing for inbound traffic, because many providers consider that they are still giving you the traffic, the fact that you choose to ignore it is nothing to do with them.

    So you need to know what your provider's actual policies are. Most providers will give some assistance with a DOS - possibly if you tell them the ip address that is being attacked they will discard traffic to that address instead of sending it to you, or perhaps you could tell them to discard traffic from a certain ip address or from a certain network.

    If this is the case then you could use the linux tools to examine the traffic so that you know what to ask your provider to do for you.

    If instead of being concerned about the bills you are concerned about how to keep your system functioning through a dos then these linux tools can be very helpful.

    Hosting providers have an advantage over connectivity providers in that the natural ratio of inbound to outbound traffic is about 1/10. Since most people buy symetric bandwidth this means that the capacity of your connection can often handle a whole lot of incoming trash while still supporting the normal incoming traffic. So in that circumstance you may use linux tools to try to sort out the trash from the not trash.

    This is the sort of thing that you want to be prepared for ahead of time. Some of these tools will not be installed by default on your system. Some may require a kernel upgrade or patching.

    You will want to know ahead of time what your provider's policies are and how to reach them and authenticate yourself to them when/if you have a problem.

    You will want to learn to use these tools before hand so you understand their capabilities and some of their usage. If you study this I promise you will find fifty other uses for the capabilities you will learn about, probably long before you ever have to deal with a dos.
    Sunwave Communications
    http://www.sunwave.com/
    Safety - Service - Economy

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •