Hi Masakazu, Thank you for the thoughts. Sorry for the delay. I definitely agree that iptables is certainly a helpful tool for similar problems, and they are and will continue to be used for a number of DOS scenarios by our company. That said, the per client connection max feature has a few things that speak in its favor:
* It is based off of the per origin connection max setting (proxy.config.http.per_server.connection.max). Since we have that implementation already, implementing it for the client is pretty easy from a development standpoint. It almost comes for free. * I second your PROXY protocol idea, and potentially other ATS specific ways this can be customized. Eventually, I will likely be providing plugin API support to set the ignore list (the feature being suggested here). That will allow arbitrary programmability. Internally, we will likely use this for our corporate IP classification database. * It's nice from a deployment perspective to be able to set per client connection settings in a way similar to the per server connection settings. Having that consistency of configuration is convenient for users. As you mentioned in your follow up email, we do have this per client connection max configuration already. Adding the ability to exempt certain IP ranges is a pretty light development effort given that we already have robust IP range parsing in ATS for other purposes (like IP allow, for instance). Thanks, Brian On Thu, Apr 17, 2025 at 7:54 PM Masakazu Kitajo <mas...@apache.org> wrote: > Oh, I just realized that the setting for the max number of connections > already exists and just the exempt setting is new... but I'm still not sure > if we should invest in the setting because of the questions on my previous > email. > > -- Masakazu > > On Thu, Apr 17, 2025 at 6:41 PM Masakazu Kitajo <mas...@apache.org> wrote: > > > I wonder if the max number of connections should be limited by ATS. I > > guess it could be done by iptables if the connections are going to be > just > > closed. It'd be even better because TCP handshake would not be completed. > > It would be a nice addition if iptables or firewalls cannot handle QUIC > > connections. > > > > Also, this kind of IP address based features make me wonder what IP > > address should be checked if PROXY protocol is used. If the real client > IP > > address is going to be used, that may be a reason to have the limit on > ATS > > (I assume iptables cannot handle it). > > > > -- Masakazu > > > > On Thu, Apr 17, 2025 at 2:39 PM Brian Neradt <brian.ner...@gmail.com> > > wrote: > > > >> Hi dev@trafficserver.apache.org, > >> > >> ATS has a feature to restrict the number of per client connections ATS > >> will > >> receive: > >> proxy.config.net.per_client.max_connections_in > >> > >> The intention of the configuration is to mitigate certain DOS situations > >> via malicious or otherwise misbehaving clients which consume an > inordinate > >> amount of resources by spinning up a lot of connections. > >> > >> It is possible, though, that certain clients can be expected to > initiate a > >> lot of connections to a box. For instance, certain networking > >> configurations may result in ATS peers within a data center initiating > >> many > >> connections to each other. In such situations, it would be good to > "allow > >> list" a set of IP addresses for whom the per_client.max_connections_in > >> will > >> not be applied. > >> > >> I've created a PR that demonstrates such a feature: > >> https://github.com/apache/trafficserver/pull/12198 > >> > >> It adds *proxy.config.http.per_client.connection.allow_list.filename* > as a > >> configuration that points to a yaml file that contains a sequence of IP > >> address ranges for whom per_client.max_connections_in will not be > >> enforced. > >> It is implemented with the libswoc net library used in other components > in > >> ATS which supports the following formats: > >> > >> > >> 10.0.2.123 Ignore a single IP Address. > >> 10.0.3.1-10.0.3.254 Ignore a range of IP address. > >> 10.0.4.0/24 Ignore a range of IP address specified by CIDR > >> notation. > >> > >> Here is an example YAML file ignoring some address ranges: > >> > >> allow_list: > >> - 10.0.2.123 > >> - 172.16.0.0/20 > >> - 192.168.1.0/24 > >> > >> Please let me know if you have suggestions or concerns about this > >> configuration. > >> > >> Thanks, > >> Brian Neradt > >> -- > >> "Come to Me, all who are weary and heavy-laden, and I will > >> give you rest. Take My yoke upon you and learn from Me, for > >> I am gentle and humble in heart, and you will find rest for > >> your souls. For My yoke is easy and My burden is light." > >> > >> ~ Matthew 11:28-30 > >> > > > -- "Come to Me, all who are weary and heavy-laden, and I will give you rest. Take My yoke upon you and learn from Me, for I am gentle and humble in heart, and you will find rest for your souls. For My yoke is easy and My burden is light." ~ Matthew 11:28-30
