|
Overview
The Sambar Server supports several throttling mechanisms intended to reduce
the load on your server and bandwidth generated according to
polices (see below) that decide when to refuse requests.
The Sambar Server can track and throttle incoming connections by IP address
or by authenticated remote user. The following are the policy configuration
options:
- Concurrent Requests
config.ini parameter(s)
Throttle IPs = #
This policy imposes a limit on the number of concurrent requests
at any one time. This can be used to limit the effectiveness of some
denial of service (DOS) attacks; a typical browser will open up 10 or more
simultaneous connections to a server (depending on the number of images
present) whereas a DOS attack might attempt 100 simultaneous connections.
This feature results in minimal performance impact. Set this field to
zero (0) to allow unlimited connections from a given IP address.
Use of Throttle IPs has the following issues:
- Because browsers regularly make multiple connections to a server
to retrieve web pages, this setting should typically not be set below ten
(depending on the number of images/frames on your pages) which may lessen
the usefulness of this feature.
- Use can adversely affect connections that come in via proxies such
as AOL members as they all appear to be the same client.
- A local router has a similar issue to the AOL proxy problem because
all clients appear to be coming from 192.168.0.1.
- IE as of 5.5 will open tens of connections to fetch all the content
on a page depending on whether keep-alive is disabled, how long/short the
timeout is, and whether access is across a WAN. Making matters worse is
the TCP/IP stack on windows does a poor job of alerting the server as to
connection close events resulting in a delay in cleaning up sockets.
- Connections by IP address
config.ini parameter(s)
Throttle IP Size = #
Throttle IP Requests = #
Throttle IP SMTP = #messages
Throttle IP Period = cron
Impose a limit on the number of network requests (connections per-IP)
per period, which when exceeded results in subsequent requests being
denied with a failure message.
If the Requests count is specified (i.e. non-zero), IP
request throttling is enabled.
Requests from an IP address are tracked for a short period of time and
subject to the policy specified. The period of time that a client IP
address is tracked depends on the Size of the IP address
list, which is ordered most recent request to oldest.
Every time a new IP address connects, the oldest entry in the list is
lost and reassigned to the new client IP address. Every time an existing
entry makes a request, it is moved to the top of the list.
- Bandwidth by IP address
config.ini parameter(s)
Throttle IP Size = #
Throttle IP I/O = #mb
Throttle IP Period = cron
Don't Throttle IPs = ip address(s)
Impose a limit on the volume (mbytes sent and received) per period,
which when exceeded results in subsequent requests being denied with
a failure message.
If the I/O volume is specified (i.e. non-zero), IP
bandwidth throttling is enabled.
Requests from an IP address are tracked for a short period of time and
subject to the policy specified. The period of time that a client IP
address is tracked depends on the Size of the IP address
list, which is ordered most recent request to oldest.
Every time a new IP address connects, the oldest entry in the list is
lost and reassigned to the new client IP address. Every time an existing
entry makes a request, it is moved to the top of the list.
- Bandwidth by Authenticated User
config.ini parameter(s)
Throttle User Input = #mb
Throttle User Output = #mb
Throttle User SMTP = #messages
Throttle User Period = cron
Impose a limit on the volume (mbytes sent and/or received) per period,
which when exceeded results in subsequent requests being denied with
a failure message.
If either the Send or Recieve
volumes are specified (i.e. non-zero), user throttling is enabled.
- Bandwidth by Virtual Host
config.ini parameter(s)
Throttle VHOST Input = #mb
Throttle VHOST Output = #mb
Throttle VHOST Period = cron
Impose a limit on the volume (mbytes sent and/or received) per period,
which when exceeded results in subsequent requests being denied with
a failure message.
If either the Send or Recieve
volumes are specified (i.e. non-zero), virtual host throttling is enabled.
- Simultaneous Logins
config.ini parameter(s)
Maximum Simultaneous Logins = #
Impose a limit on the the maximum number of simultaneous logins for a
single user. The default value zero (0) indicates an unlimited number
of simultaneous users are permitted. If a user does not logout and
attempts to reconnect with the limit set to one (1), the user will have
to wait until the timeout duration is reached.
- Invalid HTTP Requests
config.ini parameter(s)
Monitor Invalid Requests = true | false
Maximum Invalid Requests = #
Invalid Request Wait = #sec
Monitor invalid HTTP requests and freeze subsequent requests for the
Invalid Request Wait seconds from the IP
addresses of hosts that exceed the Maximum Invalid Requests.
Enabling this feature imposes a performance penalty on the server and
increases the memory requirements by several mega bytes; it can prevent
some types of server attacks as well as some DOS attacks. Note: All
tracking is performed via IP address. This can adversely affect large
groups of users that come from hosts behind a proxy such as AOL.
- Invalid HTTP Logins
config.ini parameter(s)
Monitor Invalid Logins = true | false
Maximum Invalid Logins = #
Invalid Login Wait = #sec
Monitor invalid HTTP login attempts and deny subsequent login attempts
for the Invalid Login Wait seconds from the IP
addresses of hosts that exceed the Maximum Invalid Logins.
Enabling this feature imposes a performance penalty on the server and
increases the memory requirements by several mega bytes; it can prevent
some types of server attacks as well as some DOS attacks. Note: All
tracking is performed via IP address. This can adversely affect large
groups of users that come from hosts behind a proxy such as AOL.
|