From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 822213B29E for ; Tue, 6 Oct 2020 16:40:03 -0400 (EDT) Received: by mail-qt1-x834.google.com with SMTP id g3so14185867qtq.10 for ; Tue, 06 Oct 2020 13:40:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:content-transfer-encoding:mime-version:subject:date:references :to:in-reply-to:message-id; bh=7cIxIE5FZxIIJL9QD9Tf4O7h2kbT3SS+FUMbsaSikGA=; b=S6S+E7/wAo0N7qcn8SAu1uli9FGrPci9yRLsYFM6muvGTI4BA11AJssCA07/0IzU3r /jGjzinlkiSX/gM+cFjEWhbUJXZ08M+SxaXZK00nSS1acxLgvcp4P0IDxb3hefHjPIkO A7EhfQGmpUDlFiuQGArgOsYGjHDunJ1Y4viDirCGqTbAE22Ajg/kShuw5maWbfZFrpSg TEDLYlZGnblBAfXBRT4FjGT7aH2cTIrMIRywbn2n0lkN4si3abtCSSHX+YfpTpE4iMsg gVet3bl+P04e1FVpO6+m3rL5nmSJog+pDS6bvVsOg4mec+MBVFZGV6WV0e07G5twh784 DzwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:date:references:to:in-reply-to:message-id; bh=7cIxIE5FZxIIJL9QD9Tf4O7h2kbT3SS+FUMbsaSikGA=; b=Sbp8TwndhE3ZZmG3CXJy24Qfdw7Op/umr0nQwStvKJ2xGCp4LPjxWf6sHXZLk7zMsw 4d3fhYL449gBjgDsfqmmdL5mH4l1Ha6zVUVZU4rL3Oxwmceb4h3eYoE5eNvWL8YrKXLt 125SRjP958lHF40y4qPb2mAIxRFE7jjO6pRCBsEe6Lu/bjxbG3MdpbgSDVLX7tsgjAga rx/b8f76epEXMvAnmpcR2wZ3Ef2MILMPj/7J6SX6CmlwuBCOBt075dyccN2DkRAB2uN9 YYhYp+Oj/R/BXF1LJJXa+ZSy9Pr7/aBhZZEUMysj6BlNlRAUTkQFLWJF9HwkptLFo1Ls 3c+g== X-Gm-Message-State: AOAM533wdAUBwqm5T7oMgsL//HC6GAC72T81BBQI4WDbgZA59LHaA1YC zDXXtpfF0r9V8yfSRFiZYHQjWxCTehXKNg== X-Google-Smtp-Source: ABdhPJx7EFFWaLhh0wwre8mQAISsfmonUXad/USDHEfOG7znCzCRiKLZgnp9PtPO2faYZ9ioaZh59w== X-Received: by 2002:ac8:3704:: with SMTP id o4mr81206qtb.330.1602016802591; Tue, 06 Oct 2020 13:40:02 -0700 (PDT) Received: from ?IPv6:2001:470:8c46:0:f989:8cf8:d5be:9da1? ([2001:470:8c46:0:f989:8cf8:d5be:9da1]) by smtp.gmail.com with ESMTPSA id y94sm3026659qtd.7.2020.10.06.13.40.01 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 06 Oct 2020 13:40:02 -0700 (PDT) From: Rich Brown Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\)) Date: Tue, 6 Oct 2020 16:40:00 -0400 References: <2F8AA6E5-93F7-4FB2-A57F-10F7642F3092@gmail.com> To: bloat In-Reply-To: <2F8AA6E5-93F7-4FB2-A57F-10F7642F3092@gmail.com> Message-Id: X-Mailer: Apple Mail (2.3608.120.23.2.4) Subject: Re: [Bloat] netperf server news X-BeenThere: bloat@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: General list for discussing Bufferbloat List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Oct 2020 20:40:03 -0000 Thanks for the feedback. Some responses: 1) I'm glad that people are seeing reasonable speeds from the VPS. (I = don't know what I can do to make it go faster, so I'm relieved...) 2) I don't think I posed the right question for the number-of-tests = threshold. (Most of the responses were like, "Sure, that sounds like = enough..." Let me reframe the question:=20 In your normal testing/troubleshooting process, what is the = maximum number of tests YOU might need to run in any two-day period? 3) If you can't get through to netperf.bufferbloat.net, send me your IP = address because it might have been blacklisted. Thanks! Rich > On Oct 6, 2020, at 6:52 AM, Rich Brown = wrote: >=20 > To the Bloat list, >=20 > I had some time, so I looked into what it might take to keep the = netperf.bufferbloat.net server on-line in the face of an unwitting = "DDoS" attack - automated scripts that run tests every 5 minutes 24x7. = The problem was that these tests would blow through my 4TB/month = bandwidth allocation in a few days. >=20 > In the past, I had been irregularly running a set of scripts to count = incoming netperf connections and blacklist (in iptables) those whose = counts were too high. This wasn't good enough: it wasn't keeping up with = the tidal wave of connections. >=20 > Last week, I revised those scripts to work as a cron job. The current = parameters are: run the script every hour; process the last two days' of = kern.log files; look for > 500 connections; drop those addresses in = iptables. >=20 > There are currently 479 addresses blacklisted in iptables (that = explains why the bandwidth was being consumed so quickly). There are = only a few new addresses being added per day, so it seems that we have = flushed out most of the abusers. >=20 > My questions for this august group: >=20 > 1) The server at netperf.bufferbloat.net is up and running. I get full = rate speed from my 7mbps DSL circuit, but that's not much of a test. I = would be interested to hear your results. >=20 > 2) The current threshold comes from this estimate: most speed tests = use 10 connections: 5 connections up and 5 down. So 500 connections = would permit about 50 tests over the course of two days. Is that enough = for "real research"? (If you need more, I can add your address to my = whitelist file...) >=20 > 3) I would be pleased to get comments on the set of scripts. I'm a = newbie at iptables, so it wouldn't hurt to have someone else check the = rules I devised. See the README at = https://github.com/richb-hanover/netperfclean >=20 > Thanks. >=20 > Rich >=20