Community discussions

MUM Europe 2020
 
simonkizi
newbie
Topic Author
Posts: 45
Joined: Mon Jan 30, 2006 10:38 pm

Anyone knows the means to limit N0. of UDP Connections?

Fri Apr 07, 2006 10:41 am

Hi there,

Can anyone please give us a hint on how to limit the number of connections established by specific IPs or a Range?

This is to protect against DoS attacks on the one hand, and to limit the number of P2P and Accelerated Connections/Sessions on the other.

This is required for TCP and UDP connections. Limitting packet match rate hasn't helped much, and connection limit does not work for udp connections. Maybe some Mangle and Queues?

Please help.

Thx
Last edited by simonkizi on Fri Apr 07, 2006 4:46 pm, edited 1 time in total.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24383
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Fri Apr 07, 2006 10:46 am

this is explained in the first example of the manual:
http://www.mikrotik.com/docs/ros/2.9/ip/filter
To only allow not more than 5 simultaneous connections from each of the clients, do the following:
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=6,32 action=drop
 
simonkizi
newbie
Topic Author
Posts: 45
Joined: Mon Jan 30, 2006 10:38 pm

Fri Apr 07, 2006 11:31 am

Thx Normis.

Does this also apply for udp connections? Coz can't set connection-limit for udp.

Got some clients using a P2P openning 20 to 30 udp sessions from each Client IP simoultaneously! Shows on torch.

What if I want to allow more than 5 for some clients, like ten for instance or more?

Limewire is our worst nightmare. Uptill 50 or maybe more simoultaneous sessions. It is causing DoS. No other client can connect when Limewire is active. Have to browse down in torch to reach the end of the list on a 19inch monitor lol.


Regards.
 
simonkizi
newbie
Topic Author
Posts: 45
Joined: Mon Jan 30, 2006 10:38 pm

Fri Apr 07, 2006 2:16 pm

this is explained in the first example of the manual:
http://www.mikrotik.com/docs/ros/2.9/ip/filter
To only allow not more than 5 simultaneous connections from each of the clients, do the following:
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=6,32 action=drop
Ok quite clear now how to limit TCP connections, but how about UDP? Is it possible or not. Do we need a proxy server to control UDP?

If we can do nothing about it, then we have to send warnings to our clients.

Thx.
 
User avatar
whalen
newbie
Posts: 31
Joined: Tue Jun 01, 2004 4:08 pm
Location: Belleville, MI

Fri Apr 07, 2006 5:29 pm

UDP is a a connectionless protocol, so there are no "connections" to limit.
 
YappaDappa
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Mon Dec 12, 2005 12:34 pm

affects

Sun Apr 09, 2006 8:51 am

will applying this rule to say, 50 queues have a negative impact on consistant speeds used for gaming and streaming?
 
YappaDappa
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Mon Dec 12, 2005 12:34 pm

Sun Apr 09, 2006 2:15 pm

tried this rule, and people instantly had problems with complete page resolution. Any ideas?
 
savage
Forum Guru
Forum Guru
Posts: 1214
Joined: Mon Oct 18, 2004 12:07 am
Location: Cape Town, South Africa
Contact:

Sun Apr 09, 2006 3:53 pm

Obviously that will happen.

You didn't post what rule you "tried", so I presumed you "tried" the rule that limits to 5 connections.

It's WAY to little. Most modern browsers alone run with anywhere from 10 to 20 (some even more) threads in the background, all making individual requests to open up web pages, load graphics, etc etc etc.

Before you drop, log. It will show you clearly when / if / why a rule is hitting, and based on that you will know what to do to resolve whatever problem you are having.
Regards,
Chris
 
User avatar
djape
Member
Member
Posts: 469
Joined: Sat Nov 06, 2004 7:54 pm
Location: Serbia

Sun Apr 09, 2006 5:20 pm

I have found 16 as optimal limitation...
I drink like a pirate and smoke like a hippie...
 
simonkizi
newbie
Topic Author
Posts: 45
Joined: Mon Jan 30, 2006 10:38 pm

Sun Apr 09, 2006 8:17 pm

UDP is a a connectionless protocol, so there are no "connections" to limit.
Thx for reply,

Yet I have clients who are using P2P parograms that when I monitor their connections through torch, I see a hundred plus sessions or packets or whatever they are simoultaneously. When I block the related client(s), the network is fast again for everyone else.
When I allow, then the network or at least Internet access gets real slow, ie almost similar to DoS, mostly affecting DNS requests on udp port 53. Queues don't help as the hundred above don't amount to 15kbps. So, it is not the packet size, but number of packets sent/sec or something else.

So, if udp doesn't work via connections, is it possible to limit the number of udp packets sent by a client through (Winbox) Firewall Filter Protocol udp(17) limit packet match rate? If yes, then what is an advisable setting?

Thx to whoever answers.

Regards.
 
wildbill442
Forum Guru
Forum Guru
Posts: 1050
Joined: Wed Dec 08, 2004 7:29 am
Location: Sacramento, CA

Mon Apr 10, 2006 7:30 am

Can you give more information on the network configuration and topology? We limit P2P to 512kbps for each user on our network and haven't experienced any problems with the amount of UDP connections causing DoS. How many packets per second are going through the local router? Is CPU utilization being maxed out on the router, or any other resources?

Also what kind of upstreme connection do you have (ie: xDSL, T1, T3, fiber, etc..)?
 
simonkizi
newbie
Topic Author
Posts: 45
Joined: Mon Jan 30, 2006 10:38 pm

Mon Apr 10, 2006 3:25 pm

Ok.

We are running several Mikrotik Highpoints with the APs running as PPPoE servers. The AP interface has no IP Address. PPPoE clients connect to the towers through wireless media. The authentication is accomplished through a centralized radius server. There is a linux box load balancing several 512kbps ADSL lines as gateway and DNS server.

Now, our problem is mainly with some P2P programs running on the ckient side, that upload and download showing some 50-100 or more udp entries on torch. It seems the capacity of the gateway is not more than 200 udp packets, sessions or whatever per second. This is not about the bandwidth consumption because each PPPoE client is limited to 128kbps max.

If torch shows the number of packets sent/received per second, 100s of udp send/ receive inputs are displayed, as if it is an open stream of tiny entries less than a KByte each. When the case is the client is
uploading, then the DNS resolution is slowing down on our system, as DNS requires udp port 53. In simple terms, we have to refresh the Internet Explorer some ten times to resolve a fqdn. Regarding the processor consumption, it runs at an average of 30% on RB532 whenever the above senario exists.

It is not the processor, not the bandwidth but the number of sessions or packets sent/received simoultaneously from an individual IP. In case of TCP, fine, we know how to limit connections easily, but for udp their is no connection limit. So, again I ask would limitting the packet match rate for udp protocol help? Or else, please someone, help us.

Thx.
 
spire2z
Long time Member
Long time Member
Posts: 517
Joined: Mon Feb 14, 2005 2:48 am

Tue Apr 11, 2006 12:43 am

You might want to look at the MikroTik for traffic shaping. There you can limit p2p to a certain ammount of connections. Try 15 - 20.
 
simonkizi
newbie
Topic Author
Posts: 45
Joined: Mon Jan 30, 2006 10:38 pm

Tue Apr 11, 2006 11:02 am

You might want to look at the MikroTik for traffic shaping. There you can limit p2p to a certain ammount of connections. Try 15 - 20.
Kindly can you ellaborate a bit more, like give an example.

I have tried something and seems to help. I set the udp protocol packet match rate to 16/sec with Burst=20. Seems to help a bit.

Thx.
 
spire2z
Long time Member
Long time Member
Posts: 517
Joined: Mon Feb 14, 2005 2:48 am

Tue Apr 11, 2006 4:52 pm

Like you are doing but choose:

Forward firwall filter.

tcp options -any
connection limit 15
all-p2p

and leave burst and count time limit values all at 0

This should keep tracable p2p at bay. You should also mangle p2p and limit the speed too in queue tree to finish the job.
 
hci
Long time Member
Long time Member
Posts: 604
Joined: Fri May 28, 2004 5:10 pm

Tue May 02, 2006 1:15 am

/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=6,32 action=drop
Can this be altered so it only looks at non-http connections. Since we run a transparent web cache I doubt any p2p is going to get through http anyway.

Matthew

Who is online

Users browsing this forum: No registered users and 17 guests