Connection rate limiting

rodm13 · 11-15-2007, 07:54 PM

Hi guys,

I have an interesting problem that I've been dealing with for a while. My ISP employs an IDP that disconnects a client for 5 mins or so whenever a set connections / time rate has been breached on grounds that it's 'a behavior common to viruses'. I was wondering if there was any way I could force either my computer (WinXP/Ubuntu) or the pfSense box (BSD firewall / routing platform) and me to limit the connection rate so I don't get killed whenever I would otherwise act too much like a virus.

Thanks for your help.

blackhole54 · 11-16-2007, 05:31 AM

Quote:

Originally Posted by rodm13

limit the connection rate so I don't get killed whenever I would otherwise act too much like a virus.

Do you mean limit the number of TCP/UDP connections you try to establish per unit time?

With Linux, you could use iptables' limit and state modules to DROP or REJECT packets that try to establish NEW connections faster than a certain rate:

Code:

#  Set RATE to connections/seconds allowed, BURST to the number of packets allowed w/o respect to rate,  and INET_IF to 
#  the interface for Internet access.

RATE=???
INET_IF=???
BURST=???
iptables -A OUTPUT -o $INET_IF -m state --state NEW -m limit --limit-burst $BURST --limit ${RATE}/second -j ACCEPT
iptables -A OUTPUT -o $INET_IF -m state --state NEW -j REJECT

(If you have other rules in the OUTPUT chain, you might need to break this logic into a separate user chain to prevent a conflict with the existing logic. In which case, the first rule would RETURN instead of ACCEPT.)

But I would think the application(s) that tried to initiate these connections would probably react badly to this. And it would only work for Linux. BSD might have a similar capability, but I am not familiar with it.