Feature request: Add rate limiting to tunnels. Denial of Service (DoS) issue.

[AntiLiberal]

I would like to be able to rate limit the downstream connection. Limiting it to 20,000 packets per second or 5MB/sec would work for me. A way of remotely disabling the tunnel, such as by sending a special UDP packet out to the server should also work. That would have to be automated with a script.

Someone is doing a DoS attack which overloads my connection and I cannot connect to anything, even to configure the tunnel.

Unfortunately I have to turn off my tunnel for the time being or my connection could be down for as long as an hour at random times.

[pmf026]

I think it's something you should do yourself. Treat "he-ipv6" (or whatever name you assigned for it) like another external wan interface. Need rate-limit? Set it up, I mean it's not ISP's responsibility and if your router can't handle it, invest in more powerful router maybe?

[cshilton]

I know this an old thread.

I don't think that rate-limiting his interface helps. I'm guessing the Hurricane Electric has a lot more bandwidth than he does so if someone starts blasting away UDP packets destined for any of his assigned IPv6 space, that traffic is going to end up routed as protocol 41 traffic, via his ISP, to his firewall. Once it's in his downstream pipe, it's game over. If the net result of this is that his downstream connection gets saturated, that parcel of bandwidth is lost. He won't be able to receive any other packets outside of the denial-of-service traffic. Dropping the packets or replying to them when they get to his side of the pipe won't help. Eventually, I would imagine that this would become a problem between him and his ISP.

I post in this otherwise stale thread because it's a problem that anyone running the Hurricane Electric tunnelbroker service has. E.g. if you piss someone off that can DOS you with UDP or ICMP, or even TCP traffic, there wouldn't be much you could do, short of deleting the tunnel, to stop the flow from the fire hose. I do guess that you could log in from a different connection and reconfigure the tunnel but you'd want to be careful with that because now you're just redirecting the fire hose at someone else. I also remember that to be able to have a tunnel at all, you have to be able to respond to ICMP directed at your side of the tunnel's address. That makes me wonder if you could staunch the traffic and save the configuration by stopping your side from responding to ping echo requests.

-- Chris