« previous next »
Pages: [1]   Go Down

Author Topic: Limiting client connections  (Read 1504 times)

Offline oldguy

  • Contributor
  • *
  • Posts: 8
  • Karma: 2
Limiting client connections
« on: February 19, 2009, 01:28:15 PM »
Have a strange app and I need to limit the number of TCP sessions that get connected to it.
Millions of bots try to connect and they overrun the Firewall TCP session limit and the entire environment goes off-line.
Version 7 or possibly 8 (not 9 in the near future)...

Any way to write a policy that checks the number of active TCP sessions and drop the TCP SYN if over the #?
Ignoring some clients is not an issue for the app as eventually they will all get served.

Thanks
Logged

Offline jmelika

  • Administrator
  • Hero Member
  • *****
  • Posts: 341
  • Karma: 7
Re: Limiting client connections
« Reply #1 on: February 19, 2009, 03:08:34 PM »
I would suggest you look at the vserver's Spillover options and see if any of them suits your needs.  I don't have much experience with that option.

I think from what you're experiencing, you're probably better off looking at the DoS protection feature.  You could potentially play around with those rates and see which one works best for you.

Good luck.  Please keep us posted with your progress.
Logged

Offline evildani

  • Administrator
  • Hero Member
  • *****
  • Posts: 389
  • Karma: 22
Re: Limiting client connections
« Reply #2 on: February 20, 2009, 12:35:40 PM »
You can limit the active connections on a service with Max Clients, and configure surge protection accordingly.
Logged

Offline oldguy

  • Contributor
  • *
  • Posts: 8
  • Karma: 2
Re: Limiting client connections
« Reply #3 on: April 13, 2009, 12:52:50 PM »
Thanks to those who have replied but there seems to be no way to limit the number of front side TCP sessions to a vserver by ignoring the TCP SYN.   I've asked for an enhancement feature to allow this to occur. 

My millions of bots are not playing well and if the get a TCP SYN ACK they go crazy and think they have to constantly try until they get a successful answer.  We are trying to get the client code changed to apply a better back off algorithm which is the real answer IMHO.

We have had another case where a bug in client code has overran the infrastructure.  I'd think ignoring TCP SYN's after a certain amount would be a nice protection feature. 


Logged

Offline Paul B

  • Hero Member
  • *****
  • Posts: 193
  • Karma: 20
Re: Limiting client connections
« Reply #4 on: April 21, 2009, 04:53:56 AM »
Quote from: oldguy on February 19, 2009, 01:28:15 PM
Have a strange app and I need to limit the number of TCP sessions that get connected to it.
....
Version 7 or possibly 8 (not 9 in the near future)...

Shame, because ver 9 has a nice new feature which might (or might not :-( ) help, called Rate Limiting.

The concept is that you set up a "monitor", that looks, for example, at the number of incoming requests per client IP, and if any specific IP tries to access you too many times within a specified time period, you can take action (eg drop requests, redirect them...)


Paul
Logged
Pages: [1]   Go Up
« previous next »