I''ve been using linux routing (htb qdisc) for almost a year now to try and manage the network here in a college environment. One of the major problems that I faced when I started this "little" project was P2P upload/downloads. At times the network would slow down so much one couldn''t even load a webpage. I''ve tried the ratelimiting of certain ports, prioritizing certain blocks of IP, but all of it seems to be "less than ideal." We had continued to have problems with legitimate traffic being limited, our VoIP network was degraded (even after prioritizing), and our mirroring of slackware.com and cpan.org was less than glorious. It was workable but it was no way a good scene. After analyzing traffic, I thought it would have been inefficient to try and look into the data portion of the datagram but what I did notice about the traffic we had here was that the P2P machines had an unusually high number of connections. For out network, the number of connections was something that could easily be monitored. So, I''ve created a few scripts that used iptables, tc, and a sniffer that dynamically ratelimits machines(IPs). I''ve been using this script for awhile and it has done wonders for our network. A side effect of the scripts has been a ratelimiting of new Windows(tm) worm scans, port scans, and anything else that makes an unusually high number of connections. The VoIP traffic finally is usable (ideal?), and our mirrors work great. The project (I''ve called in ''pacemaker'') is pretty configurable in that you can ignore certain hosts, networks, or ports if you know you would never want to ratelimit those resources based on number of connections. Seeing that it work so well here, I thought I''d offer it to the open source community and see if they could give me any pointers on making pacemaker better. You can find the network statistics pages here: http://mrtg.saintjoe.edu/ and pacemaker specifically here: http://mrtg.saintjoe.edu/mrtg/ratelimit/pacemaker/ peace -- David DeLauro Computer Systems Analyst Saint Joseph''s College Rensselaer, IN 47978 Do not handicap your children by making their lives easy. - Robert Heinlein Hata ukinichukia la kweli nitakwambia - Kanga Proverb I have often regretted my speech, never my silence. - Xenocrates _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> It was workable but it was no way a good scene. After analyzing traffic, > I thought it would have been inefficient to try and look into the data > portion of the datagram but what I did notice about the traffic we had > here was that the P2P machines had an unusually high number of connections. > For out network, the number of connections was something that could > easily be monitored. So, I''ve created a few scripts that used > iptables, tc, and a sniffer that dynamically ratelimits machines(IPs).Very interesting, I''ll look more in depth to your scripts ... do you think it would be easy to change the decission of who to ratelimit, from the number of connections to the bandwidth they are using? Something like, if this user is using 512kb for 5 minutes ratelimit him? -- Damjan Georgievski jabberID: damjan@bagra.net.mk _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
hi all, i''m using squid as a proxy server, and have 2 gateway for internet access, currently i''m using 1 gateway for the internet access, if that gateway is down then i have to change it manually the the 2nd gateway. can anyone help me with the configuration that will automatically switch to 2nd gateway if the 1st gateway is down. Thanks in advance /asa _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Damjan, I am working in a script to do something like that, can you post your script for us? Thanks in Advance, Anderson ----- Original Message ----- From: "Damjan" <gdamjan@mail.net.mk> To: <lartc@mailman.ds9a.nl> Cc: "David DeLauro" <daved@saintjoe.edu> Sent: Tuesday, December 23, 2003 6:28 PM Subject: Re: [LARTC] Dynamic Ratelimiting> > It was workable but it was no way a good scene. After analyzingtraffic,> > I thought it would have been inefficient to try and look into the data > > portion of the datagram but what I did notice about the traffic we had > > here was that the P2P machines had an unusually high number ofconnections.> > For out network, the number of connections was something that could > > easily be monitored. So, I''ve created a few scripts that used > > iptables, tc, and a sniffer that dynamically ratelimits machines(IPs). > > Very interesting, I''ll look more in depth to your scripts ... do you > think it would be easy to change the decission of who to ratelimit, from > the number of connections to the bandwidth they are using? > > Something like, if this user is using 512kb for 5 minutes ratelimit him? > > -- > Damjan Georgievski > jabberID: damjan@bagra.net.mk > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> I am working in a script to do something like that, can you post > your script > for us?I have my own hard-stuff for solve that problem. I measure all of my clients for long time (tc+parser+sql) After some period of time, 90% of my LAN clients get large autmated bandwidth speeds , thus the rest about 10% has much worst speeds. My system increase/decrese client speeds based on per client policy (kept in DB): It is Per User Policy : Array ( "LBS_TBS_MAX_ANDOR" => Array ( "T1"=>"OR", "NIGHT"=>"OR", "COMB"=>"OR", ), "LBS_TBS_MIN_ANDOR" => Array ( "T1"=>"AND", "NIGHT"=>"AND", "COMB"=>"AND", ), "LBS_MIN_OK" => Array ( "T1"=>"2000", "NIGHT"=>"1500", "COMB"=>"4000", ), "LBS_MAX_OK" => Array ( "T1"=>"4000", "NIGHT"=>"5000", "COMB"=>"9000", ), "TBS_MIN_OK" => Array ( "T1"=>"1800", "NIGHT"=>"2000", "COMB"=>"4000", ), "TBS_MAX_OK" => Array ( "T1"=>"3000", "NIGHT"=>"2500", "COMB"=>"8000", ), "INC_STEP" => Array ( "T1"=>"10", "NIGHT"=>"0", "COMB"=>"0", ), "DEC_STEP" => Array ( "T1"=>"30", "NIGHT"=>"30", "COMB"=>"3", ), "MAX_SPD" => Array ( "T1"=>"150", "NIGHT"=>"150", "COMB"=>"150", ), "MIN_SPD" => Array ( "T1"=>"50", "NIGHT"=>"50", "COMB"=>"50", ), "LBS_DELTA_MIN" => Array ( "T1"=>"3600", "NIGHT"=>"3600", "COMB"=>"3600", ), ) The speeds are collected that way in MYSQL: Array ( "TB" => Array ( "COMB"=>"22739678964", "T1"=>"3339908691", "COMBNIGHT"=>"33319656215", "NIGHT"=>"5217145438", "COMBLNIGHT"=>"6016054440", "LNIGHT"=>"1541492392", "COMBT1"=>"0", ), "LB" => Array ( "COMB"=>"416211349", "T1"=>"201458741", "COMBNIGHT"=>"395545975", "NIGHT"=>"228162616", "COMBLNIGHT"=>"2270334036", "LNIGHT"=>"3614076", "COMBT1"=>"88073956", ), "TT" => Array ( "COMB"=>"7290365", "T1"=>"10701292", "COMBNIGHT"=>"6348749", "NIGHT"=>"8714890", "COMBLNIGHT"=>"4005954", "LNIGHT"=>"7909108", "COMBT1"=>"0", ), "LD" => Array ( "COMB"=>"33763", "T1"=>"33763", "COMBNIGHT"=>"25194", "NIGHT"=>"25194", "COMBLNIGHT"=>"27538", "LNIGHT"=>"27538", "COMBT1"=>"8880", ), "TS" => Array ( "COMB"=>"1072420867", "T1"=>"1072420867", "COMBNIGHT"=>"1072454577", "NIGHT"=>"1072454577", "COMBLNIGHT"=>"1072393354", "LNIGHT"=>"1072393354", "COMBT1"=>"1056198868", ), ) Which i can see from user-level managment appz: hub3:~# abo "inder Ark" all 192.168.190.122; Binder Arkadiusz * sqix * sqix@chelmnet.pl * xxxxxx87,3xxxx82 * hub3.xxxxx.pl * 00:50:xxxx:51:65 * CI50/24 [CI50B-I] * SPD87 * FIXED (as you can see currently i have EIR=87 Kbits), yesterday i had over 130 Kbits, just because i downloaded too-much as T1 policy (201.46Mb). But tommorrow i will have it back ! PRECIOSION-INFORMATIONS: * T_WHEN_CONNECTED= 2002-06-30 * T_WHO_CONNECTED= Szarmach * A_RECORD_CREATE_DATE= 2002-06-14-10-56-32 * A_RECORD_CREATE_AUTHOR= bzyk * N_AVG_TRAFFIC = { Total_BYTES(COMB) 22.74_Gbytes, during 2.81_Months AVG_T=3.12_kbps Last Bytes(COMB) 416.21_Mbytes, during 9.38_Hours L_AVG_T=12.33_kbps Updated 2003-12-26 17:3.50 Total_BYTES(T1) 3.34_Gbytes, during 4.13_Months AVG_T=312.10_bps Last Bytes(T1) 201.46_Mbytes, during 9.38_Hours L_AVG_T=5.97_kbps Updated 2003-12-26 17:3.50 Total_BYTES(COMBNIGHT) 33.32_Gbytes, during 2.45_Months AVG_T=5.25_kbps Last Bytes(COMBNIGHT) 395.55_Mbytes, during 7.00_Hours L_AVG_T=15.70_kbps Updated 2003-12-27 0:2.51 Total_BYTES(NIGHT) 5.22_Gbytes, during 3.36_Months AVG_T=598.65_bps Last Bytes(NIGHT) 228.16_Mbytes, during 7.00_Hours L_AVG_T=9.06_kbps Updated 2003-12-27 0:2.51 Total_BYTES(COMBLNIGHT) 6.02_Gbytes, during 1.55_Months AVG_T=1.50_kbps Last Bytes(COMBLNIGHT) 2.27_Gbytes, during 7.65_Hours L_AVG_T=82.44_kbps Updated 2003-12-26 7:41.32 Total_BYTES(LNIGHT) 1.54_Gbytes, during 3.05_Months AVG_T=194.90_bps Last Bytes(LNIGHT) 3.61_Mbytes, during 7.65_Hours L_AVG_T=131.24_bps Updated 2003-12-26 7:41.32 Total_BYTES(COMBT1) 0.00_bytes, during 1.00_secs AVG_T=0.00_bps Last Bytes(COMBT1) 88.07_Mbytes, during 2.47_Hours L_AVG_T=9.92_kbps Updated 2003-6-21 17:2.28 } = TOTAL_AVERAGE 1.68_k_bps hub3:~# If anyone is interested in such stuff visit http://nsm.pl/~arek/superedit -for other shots and contact me. I can''t put it free, just because i''ve been writing that for 2 years, but i can share with other such projects/communities. A.Binder _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Thanks David for your post. []''s Anderson O. Muniz ----- Original Message ----- From: "David DeLauro" <daved@saintjoe.edu> To: "Anderson O Muniz" <andybr@bol.com.br> Cc: <lartc@mailman.ds9a.nl> Sent: Monday, December 29, 2003 1:11 PM Subject: Re: [LARTC] Dynamic Ratelimiting> On Fri, 26 Dec 2003 At 13:18 -0200, andybr@bol.com.br Articulated: > > > Damjan, > > > > I am working in a script to do something like that, can you post yourscript> > for us? > > http://mrtg.saintjoe.edu/mrtg/ratelimit/pacemaker/ > > -- > David DeLauro > Computer Systems Analyst > Saint Joseph''s College > Rensselaer, IN 47978 > > I do this really moronic thing that the government doesn''t want me to do.It is called thinking. - George Carlin> > Do not handicap your children by making their lives easy. - RobertHeinlein> > To many, total abstinence is easier than perfect moderation. - St.Augustine> _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Tue, 23 Dec 2003 At 21:28 +0100, gdamjan@mail.net.mk Articulated:> > Very interesting, I''ll look more in depth to your scripts ... do you > think it would be easy to change the decission of who to ratelimit, from > the number of connections to the bandwidth they are using? > > Something like, if this user is using 512kb for 5 minutes ratelimit him?Right now the scripts are just using a standard sniffer (tcpdump or tethereal) to gather information about the connections. For sure adding the ability watch bandwidth as well would be something I''m looking into adding... I haven''t figured an efficient way to do it yet without parsing datagrams myself for HLEN and TOTAL LENGTH.> >-- David DeLauro Do not handicap your children by making their lives easy. - Robert Heinlein If the soul could know God without the world, the world would never have been created. - Meister Eckhart Hata ukinichukia la kweli nitakwambia - Kanga Proverb _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Fri, 26 Dec 2003 At 13:18 -0200, andybr@bol.com.br Articulated:> Damjan, > > I am working in a script to do something like that, can you post your script > for us?http://mrtg.saintjoe.edu/mrtg/ratelimit/pacemaker/ -- David DeLauro Computer Systems Analyst Saint Joseph''s College Rensselaer, IN 47978 I do this really moronic thing that the government doesn''t want me to do. It is called thinking. - George Carlin Do not handicap your children by making their lives easy. - Robert Heinlein To many, total abstinence is easier than perfect moderation. - St. Augustine _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
i saw this David''s script to late .. but i am working (80%
approximately)
with another idea.
Something like:
ip x.x.x.1 start downloading a file then, after maximum top (300kbs for
example),
the connection (not IP) is marked and then you can move it for other class
with tc.
so let see and example.
Rate
30kb/s ---------\
20kb/s \----------\
\
5kb/s \------------------
0 300 800
Kb Downloaded
So well here you can see that when the limit is reached then the i mark the
packet and move to
other class with less priority.
I know a lot ot bla bla bla but as soon as posible i will post it.
Best regards and happy new year.
Sebastián A. Aresca
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Sebastian, You are trying to share bandwidth with less priority when it reaches maximum top? Why do you need it? Happy New Year Folks, []''s Anderson O. Mniz ----- Original Message ----- From: "Sebastian A. Aresca" <sebastian@aresca.com.ar> To: <LARTC@mailman.ds9a.nl> Sent: Tuesday, December 30, 2003 1:27 AM Subject: [LARTC] OTHER Dynamic Ratelimiting> i saw this David''s script to late .. but i am working (80% approximately) > with another idea. > > Something like: > ip x.x.x.1 start downloading a file then, after maximum top (300kbs for > example), > the connection (not IP) is marked and then you can move it for other class > with tc. > so let see and example. > > Rate > 30kb/s ---------\ > 20kb/s \----------\ > \ > 5kb/s \------------------ > 0 300 800 > Kb Downloaded > > > So well here you can see that when the limit is reached then the i markthe> packet and move to > other class with less priority. > > I know a lot ot bla bla bla but as soon as posible i will post it. > > Best regards and happy new year. > > Sebastián A. Aresca > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/