Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

throttling mydoom with passive fingerprinting and traffic shaping

0 views
Skip to first unread message

Randal L. Schwartz

unread,
Jan 29, 2004, 6:08:18 PM1/29/04
to

I can't believe I didn't see this earlier. Oh, how sweet.

In /etc/pf.conf:

altq on $ext_if cbq queue { q_default q_web q_mail }

queue q_default cbq(default)

... queue q_web (not shown) ...

## all mail limited to 1Mb/sec
queue q_mail bandwidth 1Mb { q_mail_windows }
## windows mail limited to 56Kb/sec
queue q_mail_windows bandwidth 56Kb

...

pass in quick proto tcp from any os "Windows" to $ext_if port 25 keep state queue q_mail_windows
pass in quick proto tcp from any to $ext_if port 25 label "smtp" keep state queue q_mail

Mail coming from windows boxes (all flavors) compete for my virtual
56K line. All other mail can come in the fat pipe. Already a huge
difference in my load. Bwa ha ha.

(Yes, there's both false positives and negatives, but most of my
friends don't use windows. :)

Just another OpenBSD hacker,

--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<mer...@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

MK

unread,
Jan 29, 2004, 10:18:12 PM1/29/04
to
Randal L. Schwartz wrote:
> difference in my load. Bwa ha ha.
>
> (Yes, there's both false positives and negatives, but most of my
> friends don't use windows. :)
>
> Just another OpenBSD hacker,
>
Beware nonwindoze foe masquerading for windoomens ;)
The war never ends...

MK

transpetaflops

unread,
Jan 30, 2004, 9:31:28 AM1/30/04
to
> In /etc/pf.conf:
>
> altq on $ext_if cbq queue { q_default q_web q_mail }
>
> queue q_default cbq(default)
>
> ... queue q_web (not shown) ...
>
> ## all mail limited to 1Mb/sec
> queue q_mail bandwidth 1Mb { q_mail_windows }
> ## windows mail limited to 56Kb/sec
> queue q_mail_windows bandwidth 56Kb
>
> ...
>
> pass in quick proto tcp from any os "Windows" to $ext_if port 25 keep
state queue q_mail_windows
> pass in quick proto tcp from any to $ext_if port 25 label "smtp" keep
state queue q_mail

How can you queue incoming packets? Hasn't your bandwith already been
occupied when those packets reach the queues on your OpenBSD machine?
/PP


Greg Hennessy

unread,
Jan 30, 2004, 1:01:28 PM1/30/04
to
On Fri, 30 Jan 2004 14:31:28 GMT, "transpetaflops"
<anti...@pp.dyndns.biz> wrote:


>
>How can you queue incoming packets? Hasn't your bandwith already been
>occupied when those packets reach the queues on your OpenBSD machine?

Thats because its IP protocol #6 i.e. tcp. It shapes by delaying the
returning ack traffic to the source.

greg


--
You do a lot less thundering in the pulpit against the Harlot
after she marches right down the aisle and kicks you in the nuts.

transpetaflops

unread,
Jan 30, 2004, 3:30:49 PM1/30/04
to
>
> Thats because its IP protocol #6 i.e. tcp. It shapes by delaying the
> returning ack traffic to the source.
>

Aah, very clever :-) Exactly the opposite of what I'm doing to achive
maximum throughput on my 5:1 asynch cable connection... thanks for the tip!
pf never stops to amaze me.

/PP


0 new messages