Sales | Support:1-888-96LINUX

What is connlimit?


Connlimit is our kernel module for limiting incoming TCP connections by user ID. It works at the kernel level (TPC layer) and does not rely on iptables. For now, connlimit does not appear on our WHM plugin (BetterLinux Manager), but you can configure it manually in cpud’s settings.

Manual configuration example:

Add these lines to /etc/betterlinux/cpud.conf.d/betterlinux.conf:

uid my_users 501-502
port my_ports 8080
connection_limit group=my_users port_group=my_ports max_connections=10

NOTE: Replace “my_users,” “my_ports” and the numbers that follow them with your own custom groups, UIDs, and port numbers.

Restart cpud. Now servers running as UID 501 or 502 that listen on port 8080 are limited to a maximum of 10 incoming connections.

If UID 501 started a server on port TCP:8080, this is what the limiting would look like:

$ ./client 127.0.0.1:8080 20
Active connections: 1
Active connections: 2
Active connections: 3
Active connections: 4
Active connections: 5
Active connections: 6
Active connections: 7
Active connections: 8
Active connections: 9
Active connections: 10
Connection #10 to 127.0.0.1:8080 failed: Connection reset by peer
Connection #11 to 127.0.0.1:8080 failed: Connection reset by peer
Connection #12 to 127.0.0.1:8080 failed: Connection reset by peer
Connection #13 to 127.0.0.1:8080 failed: Connection reset by peer
Connection #14 to 127.0.0.1:8080 failed: Connection reset by peer
Connection #15 to 127.0.0.1:8080 failed: Connection reset by peer
Connection #16 to 127.0.0.1:8080 failed: Connection reset by peer
Connection #17 to 127.0.0.1:8080 failed: Connection reset by peer
Connection #18 to 127.0.0.1:8080 failed: Connection reset by peer
Connection #19 to 127.0.0.1:8080 failed: Connection reset by peer

Effectiveness:

Connlimit won't fix all DoS-attack-related problems, but it can substantially mitigate them. To know which user a connection is intended for, we must often allow incoming connections to complete and then watch initial traffic flow (this is true of web servers, for example). Once the user is known, connlimit sees if that user is exceeding his/her connection limit. If so, all connections to that user beyond his limit are terminated. While hackers can start many server connections, the connections are short-lived. This eliminates a great deal of malicious network traffic and computation associated with it. DDoS attacks, different from DoS attacks, involve connections made without sending traffic to a user. Your only recourse in this case is to shorten your web server's timeout settings (which could have a negative impact on legitimate users if shortened too much).

Monitoring:

You can monitor connection limiting by watching these two files:

/proc/net/connections
/proc/net/connections_denied

The first file shows the number of active connections by UID and port at any given time, in no particular order.
The second file shows, by UID and port, how many connections connlimit has denied. To clear the counter, write any value to the file, e.g., "echo 0 > /proc/net/connections_denied"

 



Was this answer helpful?

Add to Favourites Add to Favourites

Print this Article Print this Article

Also Read
Features summary (Views: 847)

Copyright © 2011 BetterLinux.com. All rights reserved.