[Cerowrt-devel] Connection limits at netperf.bufferbloat.net

[Rich Brown]

Hi folks,

My bandwidth bill for netperf.bufferbloat.net was creeping up (exceeding the 4 TByte/month default for my VPS). It's easy to buy more bandwidth, but...

Analysis of the logs show there are many IP addresses (remarkably, a large number in Portugal) that were establishing >1000 netperf connections per hour (most hosts were creating exactly 1080 connections/hour, every hour for days at a time, also remarkable).

I had created a script that would analyze the log files and block the heavy users in iptables. This worked for a while (~6 months) but the tide keeps coming in, and I needed a new algorithm.

I have just (within the last hour) implemented an iptables filter that blocks new connections after it has received 20 connections within 120 seconds. It seems to work in my simple testing [1]

I write to you because:

1) I've changed the test server for many people. I'm hopeful that it isn't a big change, but I want to alert you to the possibility of different results.

2) If this affects your test regime(s), let's talk about whether there's a way to tweak the filter

Many thanks!

Rich

[1] Test procedure

- sh betterspeedtest.sh -t 10            # 10 seconds, normal settings, worked as expected
- sh betterspeedtest.sh -t 10 -n 100 # 100 simultaneous connections, upload test failed (speed=0Mbps)
- Wait three minutes
- sh betterspeedtest.sh -t 10            # 10 seconds, worked again