[Twisted-Python] most efficient new connection rate limiting?
Stephen Thorne
stephen at thorne.id.au
Thu Feb 5 00:25:08 MST 2009
On 2009-02-04, Alec Matusis wrote:
> 1) Create an dictionary {ip1:count1, ip2: count2, .} in the server, and
> check the counts for each incoming connection.
> Disconnect with transport.loseConnection() if the threshold for ip:count is
> exceeded.
> Reset this dictionary to empty dict {} every minute with reactor.callLater
> timer.
>
> 2) Use some Twisted rate limiter API that I am not familiar with?
>
> 3) Use iptables rate-limiting module like so:
> iptables -I INPUT -p tcp --dport 8888 -i eth0 -m state --state NEW -m recent
> --set
> iptables -I INPUT -p tcp --dport 8888 -i eth0 -m state --state NEW -m recent
> --update --seconds 60 --hitcount 10 -j DROP
I would recommend approach (3) because approach (1) will do an accept()
of the connection and then drop it, giving the host on the other end a
syn/ack transaction followed by a closed connection, and then it will
probably attempt to reconnect immediately.
Whereas (3) relies on the tcp/ip stack of the connecting host to send a
bunch of syn packets until it gets through, or times out and follows its
timeout logic.
--
Regards,
Stephen Thorne
Development Engineer
NetBox Blue - 1300 737 060
NetBox Blue is proud to be a sponsor and exhibitor at IBM's Solutions
Showcase 2009 events. These are held in Perth, Adelaide, Brisbane, Sydney and
Melbourne in February and March.
For more details and to register please visit:
http://www.ibm.com/solutionsshowcase/au
Scanned by the NetBox from NetBox Blue
(http://netboxblue.com/)
More information about the Twisted-Python
mailing list