From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qt1-x843.google.com (mail-qt1-x843.google.com [IPv6:2607:f8b0:4864:20::843]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id C97EF3B2A4 for ; Wed, 7 Oct 2020 14:23:02 -0400 (EDT) Received: by mail-qt1-x843.google.com with SMTP id o21so2809879qtp.2 for ; Wed, 07 Oct 2020 11:23:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:content-transfer-encoding:mime-version:subject:date:references :to:in-reply-to:message-id; bh=8uHKEE0IzUwhj/ESMnJlJDQ+RgTq0thfe6h4H8450Kk=; b=NV1FqXP2PmO8EmSH/kO3qMlATk2/33+a/y+ZP44JlJqXCZy/Ce8D3RRXAOZEHyL/1D +r400qb+uUp9vlNswbKTBxsXy1W+LI2UQyJJor+KQBJBaI03BdRw97d9fDpLplDU/N0s MOjSOTL+se+cGgRb6mUPWSMItaNuYuVZWhSncDldpBSD5XIrL4+z6xBRzYFB1X/iRf1j uqKsybSUq4Z5wpQArUJW7sLVon/Myw0qMWhUkT72DQSKp6uHxRR9+FT2nzZS2uHMXrM0 UUguA+F8VWPEfJn5oWPzmDlxSjFzeuj+x0NWEmQoQLaitQa8F2KojyS83UUSNc+dBz6W kLnQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:date:references:to:in-reply-to:message-id; bh=8uHKEE0IzUwhj/ESMnJlJDQ+RgTq0thfe6h4H8450Kk=; b=hF6a6jFZqzXoNaZpUlLuaknj+Xna/uHSTlQWe9NqPZxKwFkpUV/NeHv8neOBwabNLN 5zME2EA9/N1PmrfTYgyJR9rUs5/N1cxidWt84crDdUCuOHhDaq8IND2+CqB84pvPyJ5J m+HY2z9vloYrrkg6kAcJLl/XSHhuPVj04lhSzsjDRKgJ2UoCVPcWDte50j1PLVdKHzEx 6Ik+9aN9/CwWSzbj1Z9M2IE2XW4HhCn4nJTNtuvtmR6HOy5jnhZQUmuCzmeukkNlAEtD Htxjm7GqhxkoZ6pfaioElCaUJS1CkfJsxlLPyzaISrECaQUG/wq7GldJ1VHx0bEl9G7F lJUA== X-Gm-Message-State: AOAM5337NwKI4kyBmk00sYnb1m04HhzDm2yMFLs8V/pqiuXD97k5khRw fvJCJF8qVa2d9zZerpDb5TpNqzaTgwQKBA== X-Google-Smtp-Source: ABdhPJwp18wYq3B8N1Pn5NhLlXNoPSmn1oXkXG8lkf3KXMt0prEqsTV2UsCCPJFpFqFz10fEW4bqcw== X-Received: by 2002:ac8:1901:: with SMTP id t1mr3182058qtj.95.1602094981680; Wed, 07 Oct 2020 11:23:01 -0700 (PDT) Received: from ?IPv6:2001:470:8c46:0:908b:12bb:a6fc:44a4? ([2001:470:8c46:0:908b:12bb:a6fc:44a4]) by smtp.gmail.com with ESMTPSA id d12sm1925092qka.34.2020.10.07.11.23.00 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 Oct 2020 11:23:01 -0700 (PDT) From: Rich Brown Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\)) Date: Wed, 7 Oct 2020 14:23:00 -0400 References: To: bloat@lists.bufferbloat.net In-Reply-To: Message-Id: <2F734444-9922-412A-90E3-254B045E9FF8@gmail.com> X-Mailer: Apple Mail (2.3608.120.23.2.4) Subject: Re: [Bloat] netperf server news X-BeenThere: bloat@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: General list for discussing Bufferbloat List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Oct 2020 18:23:02 -0000 >=20 >=20 > ---------------------------------------------------------------------- >=20 > Message: 1 > Date: Tue, 06 Oct 2020 19:39:54 -0700 > From: Kenneth Porter > To: bloat > Subject: Re: [Bloat] netperf server news > Message-ID: <38F0B196CFEA470FEEBE0520@[172.27.17.193]> > Content-Type: text/plain; charset=3Dus-ascii; format=3Dflowed >=20 > --On Tuesday, October 06, 2020 7:52 AM -0400 Rich Brown=20 > wrote: >=20 >> 3) I would be pleased to get comments on the set of scripts. I'm a = newbie >> at iptables, so it wouldn't hurt to have someone else check the rules = I >> devised. See the README at = https://github.com/richb-hanover/netperfclean >=20 > A couple of alternatives to custom scripts are fail2ban and the=20 > rate-limiting modules available for iptables such as hashlimit and = recent.=20 > I haven't used fail2ban for rate-limiting so I'm not sure if it's the = right=20 > tool for that but it monitors log files to add iptables rules for=20 > short-term banning. It's not hard to add your own log monitoring rule. = I=20 > haven't used the iptables modules but they look like a natural = solution for=20 > this. >=20 > = >=20 > = >=20 > Instead of using a unique iptables rule for each blocklist member, I=20= > suggest using an ipset. (I use firewalld as a front-end to iptables so = I=20 > let it manage my ipsets, but you can also install ipset's service for = use=20 > with raw iptables to save and restore the sets across boots.) Your = block=20 > rule could be as simple as this: >=20 > iptables -I INPUT 1 -p tcp --dport netperf -m set --match-set=20 > NetPerfAbusers src -m conntrack --ctstate NEW -j DROP Thanks for these thoughts. I looked briefly at rate-limiting schemes, = but didn't see a good way for them to distinguish good users from bad: - Good users (who are setting up their SQM, or testing various = algorithms) run a test (that creates 10 connections in ~10-60 seconds), = tweak a parameter, then re-run that test, repeating until they're happy. - Bad users who test every five minutes 24x7 create 10 connections every = 300 seconds - a slower "rate" of establishing new connections than the = good guys. The primary characteristic that distinguishes the good guys from the bad = is that good guys *stop.* So, my reasoning goes, I need to look at a longer time window and set a = limit on the number of connections over the course of a day or two (not = minutes or hours). And that's the genesis of my question to the group: What is *your* pattern of testing? How many successive tests are = you likely to make over the course of a day?=20 I'm also aware of ipset, which I take to be an optimized alternative to = searching a long set of iptables rules (true?) I don't believe that my = OpenVZ VPS has kernel support for this, so as long as the = long-list-of-rules seems to work well, I'm going to leave it alone. That's my thinking, but please let me know if I'm missing something. = Thanks again.