I wonder if the max number of connections should be limited by ATS. I guess it could be done by iptables if the connections are going to be just closed. It'd be even better because TCP handshake would not be completed. It would be a nice addition if iptables or firewalls cannot handle QUIC connections.
Also, this kind of IP address based features make me wonder what IP address should be checked if PROXY protocol is used. If the real client IP address is going to be used, that may be a reason to have the limit on ATS (I assume iptables cannot handle it). -- Masakazu On Thu, Apr 17, 2025 at 2:39 PM Brian Neradt <brian.ner...@gmail.com> wrote: > Hi dev@trafficserver.apache.org, > > ATS has a feature to restrict the number of per client connections ATS will > receive: > proxy.config.net.per_client.max_connections_in > > The intention of the configuration is to mitigate certain DOS situations > via malicious or otherwise misbehaving clients which consume an inordinate > amount of resources by spinning up a lot of connections. > > It is possible, though, that certain clients can be expected to initiate a > lot of connections to a box. For instance, certain networking > configurations may result in ATS peers within a data center initiating many > connections to each other. In such situations, it would be good to "allow > list" a set of IP addresses for whom the per_client.max_connections_in will > not be applied. > > I've created a PR that demonstrates such a feature: > https://github.com/apache/trafficserver/pull/12198 > > It adds *proxy.config.http.per_client.connection.allow_list.filename* as a > configuration that points to a yaml file that contains a sequence of IP > address ranges for whom per_client.max_connections_in will not be enforced. > It is implemented with the libswoc net library used in other components in > ATS which supports the following formats: > > > 10.0.2.123 Ignore a single IP Address. > 10.0.3.1-10.0.3.254 Ignore a range of IP address. > 10.0.4.0/24 Ignore a range of IP address specified by CIDR > notation. > > Here is an example YAML file ignoring some address ranges: > > allow_list: > - 10.0.2.123 > - 172.16.0.0/20 > - 192.168.1.0/24 > > Please let me know if you have suggestions or concerns about this > configuration. > > Thanks, > Brian Neradt > -- > "Come to Me, all who are weary and heavy-laden, and I will > give you rest. Take My yoke upon you and learn from Me, for > I am gentle and humble in heart, and you will find rest for > your souls. For My yoke is easy and My burden is light." > > ~ Matthew 11:28-30 >
