I've been using linux routing (htb qdisc) for almost a year now to try and manage the network here in a college environment. One of the major problems that I faced when I started this "little" project was P2P upload/downloads. At times the network would slow down so much one couldn't even load a webpage. I've tried the ratelimiting of certain ports, prioritizing certain blocks of IP, but all of it seems to be "less than ideal." We had continued to have problems with legitimate traffic being limited, our VoIP network was degraded (even after prioritizing), and our mirroring of slackware.com and cpan.org was less than glorious. It was workable but it was no way a good scene. After analyzing traffic, I thought it would have been inefficient to try and look into the data portion of the datagram but what I did notice about the traffic we had here was that the P2P machines had an unusually high number of connections. For out network, the number of connections was something that could easily be monitored. So, I've created a few scripts that used iptables, tc, and a sniffer that dynamically ratelimits machines(IPs). I've been using this script for awhile and it has done wonders for our network. A side effect of the scripts has been a ratelimiting of new Windows(tm) worm scans, port scans, and anything else that makes an unusually high number of connections. The VoIP traffic finally is usable (ideal?), and our mirrors work great. The project (I've called in 'pacemaker') is pretty configurable in that you can ignore certain hosts, networks, or ports if you know you would never want to ratelimit those resources based on number of connections. Seeing that it work so well here, I thought I'd offer it to the open source community and see if they could give me any pointers on making pacemaker better. You can find the network statistics pages here: http://mrtg.saintjoe.edu/ and pacemaker specifically here: http://mrtg.saintjoe.edu/mrtg/ratelimit/pacemaker/ peace -- David DeLauro Computer Systems Analyst Saint Joseph's College Rensselaer, IN 47978 Do not handicap your children by making their lives easy. - Robert Heinlein Hata ukinichukia la kweli nitakwambia - Kanga Proverb I have often regretted my speech, never my silence. - Xenocrates _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
