From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qt1-x836.google.com (mail-qt1-x836.google.com [IPv6:2607:f8b0:4864:20::836]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id DF6A93B29D for ; Mon, 7 Oct 2024 08:56:24 -0400 (EDT) Received: by mail-qt1-x836.google.com with SMTP id d75a77b69052e-4582c62ee33so50582911cf.3 for ; Mon, 07 Oct 2024 05:56:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1728305784; x=1728910584; darn=lists.bufferbloat.net; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=L5QavX6AqcREo9kWLmUk67ZRyeda970vuUPIGJHZJpA=; b=ih1JuWjOu4oXCCMlrMyOaGXJDQ9Ph2+1zrLFzr/gP1ST2vZrBnh3r/+yI4G8Bxaevt /aBli1fSVKs/mgojGHLPFqhF9nMl0a0RE2HccwhZPQR0mLJD0ldG15NdTDAjILNI5aqh YzxnmLdDA3NywJEhgHLB2OuerB7NG/CSU8JRPXYfjO1AlYbi15vXkjwZuq8nRmx6pBle qQJvIzB8jL7CqgJfcts2MDIsW2cUMc50HQxNKGXcn1yRp8NlUI8MC8vTCShIPz6ErAFX u2mJx+IIyAzcHWwQq/m+RmLIoZnXpnbLQXwBlMCnatsvUmWTlrGYH1K34sU+hYmHGII1 xpXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728305784; x=1728910584; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=L5QavX6AqcREo9kWLmUk67ZRyeda970vuUPIGJHZJpA=; b=BleoZgylX80tvrivSQBVeCiINlsAxcXR+IY7/tJFrWPckGEKEv3YwTmLsdVrggOToq P61NKP3aZfD4lKyA7/HswbcHsBNRSCgBH5/NS6oYWJdo8kRrC87+FWb9Zu+kv/MVygnj 3wOqch59ir+r9G+2Ye4ZmEkjWS0vEuagJ63h9pkieohvxJ0WxToKJl2JWmERTkilmjPL 2VnEb+qWQbSb3ZfAESA7qtTI1l7d9xNN/TI3JXDaxzN6YIMkCFIMTBl6UONUQ/jb0eex 8heToHjzBq1HDXCSvtPTuYQVQCdRsIeAntj/WLtRyHAXYv+loX7YFC6gV1oPrvdAnDj3 KrgA== X-Gm-Message-State: AOJu0Yx4gpsXoK93fPr2yv79vY0o9E4v8XQx9PXCchES0gII8HG0Gpc+ mt9wMJI8/LsgLIB5sibtqmaaEmX3nhBlOqMSTlqq4b26lZ1uMV9AsOHlwA== X-Google-Smtp-Source: AGHT+IH8IeMpXhznQWxwFtYKChsiEpIuv41KAR7+vyT8gCWFSah9FFZmUfXFueV92TK60WLNaMGsJw== X-Received: by 2002:ac8:7fcb:0:b0:458:40e9:8d0d with SMTP id d75a77b69052e-45d9bb3a6d9mr206014321cf.58.1728305784087; Mon, 07 Oct 2024 05:56:24 -0700 (PDT) Received: from smtpclient.apple ([198.55.239.72]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45da74ee3c1sm26136041cf.34.2024.10.07.05.56.23 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 07 Oct 2024 05:56:23 -0700 (PDT) From: Rich Brown Message-Id: <15B73A5C-49D4-4C96-8F44-682A291B92F2@gmail.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_56262234-66F6-4842-948B-3C395E56434A" Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.10\)) Date: Mon, 7 Oct 2024 08:56:20 -0400 In-Reply-To: <18e90903899.c3a2cea42205429.4572523016718960380@jonathanfoulkes.com> Cc: Rich Brown via Bloat To: Jonathan Foulkes References: <18e90903899.c3a2cea42205429.4572523016718960380@jonathanfoulkes.com> X-Mailer: Apple Mail (2.3696.120.41.1.10) Subject: Re: [Bloat] Need help with netperf.bufferbloat.net server X-BeenThere: bloat@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: General list for discussing Bufferbloat List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Oct 2024 12:56:24 -0000 --Apple-Mail=_56262234-66F6-4842-948B-3C395E56434A Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii I finally got around to implementing Jonathan Foulkes' suggestion and = set up the `netserver` at netperf.bufferbloat.net to require a = passphrase - `netserver -Z passphrase` I have set up a daily passphrase change - people can get the current = day's value at netperf.bufferbloat.net. I have a cron job that runs at = 00:01 to kill all the `netserver` processes, regenerate a passphrase, = and restart with the new passphrase. The web server substitutes that = passphrase into the web page, so people can get a fresh copy every day. = You can see the machinery at my repo: = https://github.com/richb-hanover/Netperf-with-passphrase I also updated the `betterspeedtest.sh` script to pass through a `-Z = passphrase` option if it's specified. See=20 = https://github.com/richb-hanover/OpenWrtScripts/blob/master/betterspeedtes= t.sh Hopefully, this will eliminate the problem I was having: blowing through = my VPS traffic limit (4TBytes) in the first few days of the month... = (It'll also be interesting to see how many people retrieve the = passphrase each day...) Comments and field reports (positive and negative) welcomed. Thanks Rich PS I wonder if it adding a `-Z` option to flent or other netperf cients = would be useful > On Mar 30, 2024, at 2:12 PM, Jonathan Foulkes = wrote: >=20 > Hi Rich, >=20 > Sure, here's what we did to protect our Netperf servers: Require a = password to run netperf (it's a command line parameter on the client), = and rotate the password regularly. >=20 > This means users will need to sign up for access, and get an email = every time the password is rotated. That way you know who is using (or = abusing) the services. If it is being abused, knock out the abuser from = the list, and rotate the pwd. >=20 > Use different passwords for each server to have fine-grained access = controls. >=20 > I hope that helps, >=20 > Jonathan Foulkes >=20 >=20 >=20 > ---- On Sat, 30 Mar 2024 13:03:00 -0400 Rich Brown via Bloat = wrote --- >=20 > Hi folks, >=20 > This note was prompted by a question from the crusader github repo [1] = where I wrote the following: >=20 > >> It seems to me that the server netperf.bufferbloat.net (also called = netperf-east.bufferbloat.net) has been down for quite a while. > > > > Yes. I have been stymied by heavy abuse of the server. In addition = to legitimate researchers or occasional users, > > I see people running a speed test every five minutes, 24x7. > > > > I created a bunch of scripts [2] to review the netperf server logs = and use iptables to shut off people who abuse the server. > > Even with those scripts running, I have been unable to keep the = traffic sent/received below the 4TB/month cap at my VPS. >=20 > Does anyone have thoughts about how to continue providing a netperf = server at the name "netperf.bufferbloat.net" while not overwhelming any = particular server? Many thanks. >=20 > Rich >=20 > [1] https://github.com/Zoxc/crusader/issues/14#issuecomment-2028273112 = > [2] https://github.com/richb-hanover/netperfclean = > _______________________________________________ > Bloat mailing list > Bloat@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/bloat = >=20 --Apple-Mail=_56262234-66F6-4842-948B-3C395E56434A Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii
I finally got around to = implementing Jonathan Foulkes' suggestion and set up the `netserver` at = netperf.bufferbloat.net to require a passphrase - = `netserver -Z passphrase`

I have set up a daily passphrase change - people can get the = current day's value at netperf.bufferbloat.net. I have a cron job that runs at = 00:01 to kill all the `netserver` processes, regenerate a passphrase, = and restart with the new passphrase. The web server substitutes that = passphrase into the web page, so people can get a fresh copy every day. = You can see the machinery at my repo: https://github.com/richb-hanover/Netperf-with-passphrase

I also updated = the `betterspeedtest.sh` script to pass through a `-Z passphrase` option = if it's specified. See 
https://github.com/richb-hanover/OpenWrtScripts/blob/master/bet= terspeedtest.sh

Hopefully, this will eliminate the problem I was having: = blowing through my VPS traffic limit (4TBytes) in = the first few days of the month... (It'll also be interesting = to see how many people retrieve the passphrase each day...)

Comments and field = reports (positive and negative) welcomed. Thanks

Rich

PS I wonder if it adding a `-Z` option = to flent or other netperf cients would be useful

On Mar = 30, 2024, at 2:12 PM, Jonathan Foulkes <jf@jonathanfoulkes.com> wrote:

Hi = Rich,

Sure, here's what we did to protect our Netperf servers: = Require a password to run netperf (it's a command line parameter on the = client), and rotate the password regularly.

This means users will = need to sign up for access, and get an email every time the password is = rotated. That way you know who is using (or abusing) the services. If it = is being abused, knock out the abuser from the list, and rotate the = pwd.

Use different passwords for each server to have fine-grained = access controls.

I hope that helps,

Jonathan Foulkes



---- On Sat, 30 Mar 2024 13:03:00 -0400 = Rich Brown via Bloat <bloat@lists.bufferbloat.net> wrote ---

Hi folks,

This note was prompted = by a question from the crusader github repo [1] where I wrote the = following:

>> It seems to me that the = server netperf.bufferbloat.net (also called netperf-east.bufferbloat.net) has been down for quite a = while.
>
> Yes. I have been stymied by = heavy abuse of the server. In addition to legitimate researchers or = occasional users,
> I see people running a speed test = every five minutes, 24x7.
>
> I = created a bunch of scripts [2] to review the netperf server logs and use = iptables to shut off people who abuse the server.
> = Even with those scripts running, I have been unable to keep the traffic = sent/received below the 4TB/month cap at my VPS.

Does anyone have thoughts about how to continue providing a = netperf server at the name "netperf.bufferbloat.net" while not overwhelming any = particular server? Many thanks.

Rich

[1] https://github.com/Zoxc/crusader/issues/14#issuecomment-2028273= 112
[2] https://github.com/richb-hanover/netperfclean
_______________________________________________
Bloat mailing list
Bloat@lists.bufferbloat.net
https://lists.bufferbloat.net/listinfo/bloat


= --Apple-Mail=_56262234-66F6-4842-948B-3C395E56434A--