[nsp] limit connections per-source-ip on pix or localdir?
Christopher McCrory
chrismcc at pricegrabber.com
Thu Jul 31 20:17:04 EDT 2003
Hello...
take two with different track
On Thu, 2003-07-31 at 16:09, Rob Helmer wrote:
> Hello,
>
>
> I run a network with a PIX 515 on the outside, and a LD 410 on the
> inside.
>
> I would like to limit the number of open connections to (say)
> 1000 per source IP. I've gone through all the manuals, but the
> closest I've found is "maxconns" on the LD side, which just limits
> the total number of open connections to a particular service, which
> won't fit my needs.
>
> The story behind this is that a client with many more servers than we
> have has accidentally flooded us with requests a couple times, which
> makes all of our servers too busy to respond to other clients.
>
Assuming web services.
What exactly fails and how?
As a guess, are you running with persistant connections?
Lower the timeout from the default to 2 or 3 seconds.
Turn off persustant connections altogether.
Are you running out of daemons?
Raise max deamons.
e.g. I recompile apache w/ 1024 max from default 256
> We still have bandwidth to spare though. I'd like to limit the number
> of requests any one client can make, ideally without buying any more
> gear (although I am open to suggestions :) ).
>
>
>
> Thanks,
> Rob Helmer
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
--
Christopher McCrory
"The guy that keeps the servers running"
chrismcc at pricegrabber.com
http://www.pricegrabber.com
Let's face it, there's no Hollow Earth, no robots, and
no 'mute rays.' And even if there were, waxed paper is
no defense. I tried it. Only tinfoil works.
More information about the cisco-nsp
mailing list