Inbound PPS rate limiting


#1

Hi,

I’m trying to apply a rate limit to the inbound packet rate of an interface, as you can do in Mikrotik for example.
Is there any configuration inside Vyos or Iptables itself that I can achieve this?

Regards.


#2

iptables based" Rate limiting a single firewall rule:
set firewall name test rule 1 limit ?

For slowing down an entire interface, prioritizing packets, look into QoS. For older Vyatta manual on this topic google on Vyatta-QoS_6.5R1_v01.pdf


#3

Hi there!

Actually we are looking for some solution to minimize the impact of a DDoS attack in the equipments behind VyoS.
I.E: In ether1 we have a 200Mbps IP Transit, so we are expecting something around 20k/30k pps, right? If the counter reach this limit, we want to drop the packets! We was using this rule in Mikrotik before, but we do not know how to replicate this in Vyos.

Look the error that I got when I try to use something above 10k pps/sec:

==========

vyos@border# commit
[ firewall name ddos ]
iptables v1.4.12.2: Rate too fast “30000/second”

Try `iptables -h’ or ‘iptables --help’ for more information.
iptables error: Inappropriate ioctl for device - -m comment --comment “ddos-10” -m limit --limit 30000/second --limit-burst 1 -j RETURN at /opt/vyatta/sbin/vyatta-firewall.pl line 609.

[[firewall name ddos]] failed
Commit failed

[edit]

================

Thanks, bro!


#4

Why do you need 10k pps to begin with on a rule?
Most firewalls start witt an allow established/related rule, matching the bulk of previously allowed traffic
Do the limiting on other rules, like the ones allowing ICPM requests , or initial syn for http traffic.


#5

I’m trying to limit the maximum rate that can pass through the interface.
Supposing that someone wants to attack some router behind Vyos. How can I limit the maximum packet rate that can pass throught this interface? If I do not set any limit, and I receive an DDoS attack, my infra-structure can freeze because the high CPU usage induce by the attack.


#6

DDOS basically is a huge number of new connections/sessions. Only session setup packets will hit the “new” rule (allow port 80 to webserver), subsequent packets will use estab/related rule.
For normal traffic, the NEW rule isn’t used that often, since the bulk of traffic uses estab/related. So you can set a rather low allow limit on the new rule, without running into problems if no DDOS is active.