Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

request_rate and request_burst work incorrectly under load #2286

Open
RomanBelozerov opened this issue Nov 19, 2024 · 0 comments
Open

request_rate and request_burst work incorrectly under load #2286

RomanBelozerov opened this issue Nov 19, 2024 · 0 comments
Labels
bug http/1.1 security
Milestone
0.9 - LA

Comments

@RomanBelozerov
Copy link
Contributor

Describe the issue
I set request_burst 20 and I usually receive rang: requests burst exceeded for 192.168.100.9: 21 (lim=20) message to dmesg. But under heavy load, such messages are output to dmesg. Some connections are sometimes not blocked by the limits.

[  214.699739] [tempesta fw] Warning: frang: requests burst exceeded for 192.168.103.178: 22 (lim=20) ffff9db104db3c30
[  214.699748] [tempesta fw] Warning: parsed request has been filtered out: 192.168.103.178
[  214.699750] [tempesta fw] 192.168.103.178 "tempesta-tech.com" "GET / HTTP/1.1" 403 0 "-" "Googlebot-Video/1.0"
[  214.699766] [tempesta fw] Warning: frang: requests burst exceeded for 192.168.103.178: 23 (lim=20) ffff9db104db3c30
[  214.699767] [tempesta fw] Warning: parsed request has been filtered out: 192.168.103.178
[  214.699769] [tempesta fw] 192.168.103.178 "tempesta-tech.com" "GET / HTTP/1.1" 403 0 "-" "Googlebot-Video/1.0"
[  214.699787] [tempesta fw] Warning: frang: requests burst exceeded for 192.168.103.178: 24 (lim=20) ffff9db104db3c30
[  214.699788] [tempesta fw] Warning: parsed request has been filtered out: 192.168.103.178
[  214.699790] [tempesta fw] 192.168.103.178 "tempesta-tech.com" "GET / HTTP/1.1" 403 0 "-" "Googlebot-Video/1.0"
[  214.699820] [tempesta fw] Warning: frang: requests burst exceeded for 192.168.103.178: 25 (lim=20) ffff9db104db3c30
[  214.699821] [tempesta fw] Warning: parsed request has been filtered out: 192.168.103.178
[  214.699823] [tempesta fw] 192.168.103.178 "tempesta-tech.com" "GET / HTTP/1.1" 403 0 "-" "Googlebot-Video/1.0"
[  214.699841] [tempesta fw] Warning: frang: requests burst exceeded for 192.168.103.178: 26 (lim=20) ffff9db104db3c30
[  214.699843] [tempesta fw] Warning: parsed request has been filtered out: 192.168.103.178
[  214.699844] [tempesta fw] 192.168.103.178 "tempesta-tech.com" "GET / HTTP/1.1" 403 0 "-" "Googlebot-Video/1.0"
[  214.699862] [tempesta fw] Warning: frang: requests burst exceeded for 192.168.103.178: 27 (lim=20) ffff9db104db3c30
[  214.699863] [tempesta fw] Warning: parsed request has been filtered out: 192.168.103.178
[  214.699865] [tempesta fw] 192.168.103.178 "tempesta-tech.com" "GET / HTTP/1.1" 403 0 "-" "Googlebot-Video/1.0"
[  214.699881] [tempesta fw] Warning: frang: requests burst exceeded for 192.168.103.178: 28 (lim=20) ffff9db104db3c30
[  214.699883] [tempesta fw] Warning: parsed request has been filtered out: 192.168.103.178
[  214.699884] [tempesta fw] 192.168.103.178 "tempesta-tech.com" "GET / HTTP/1.1" 403 0 "-" "Googlebot-Video/1.0"
[  214.699901] [tempesta fw] Warning: frang: requests burst exceeded for 192.168.103.178: 29 (lim=20) ffff9db104db3c30
[  214.699902] [tempesta fw] Warning: parsed request has been filtered out: 192.168.103.178
[  214.699904] [tempesta fw] 192.168.103.178 "tempesta-tech.com" "GET / HTTP/1.1" 403 0 "-" "Googlebot-Video/1.0"
[  214.699921] [tempesta fw] Warning: frang: requests burst exceeded for 192.168.103.178: 30 (lim=20) ffff9db104db3c30
[  214.699922] [tempesta fw] Warning: parsed request has been filtered out: 192.168.103.178
[  214.699924] [tempesta fw] 192.168.103.178 "tempesta-tech.com" "GET / HTTP/1.1" 403 0 "-" "Googlebot-Video/1.0"
[  214.699941] [tempesta fw] Warning: frang: requests burst exceeded for 192.168.103.178: 31 (lim=20) ffff9db104db3c30

ffff9db104db3c30 - one client here.

Expected Behavior
Tempesta always drops the client connection, the connection data and doesn't parse next requests (I checked, these are new requests).

To Reproduce
t_stress.test_ddos.TestDDoSL7. See 438. Most likely you should use only GET flood to reproduce.

Configuration file

TempestaFW config:

listen 80 proto=http;
listen 443 proto=h2,https;

cache 2;
cache_fulfill * *;
cache_methods GET HEAD;
cache_ttl 3600;

access_log on;
keepalive_timeout 15;

frang_limits {
    request_rate 100;
    request_burst 20;
    tcp_connection_rate 100;
    tcp_connection_burst 20;
    concurrent_tcp_connections 100;
    client_header_timeout 20;
    client_body_timeout 10;
    http_uri_len 1024;
    http_hdr_len 256;
    http_ct_required false;
    http_ct_vals "text/plain" "text/html" "application/json" "application/xml";
    http_header_chunk_cnt 10;
    http_body_chunk_cnt 0;
    http_resp_code_block 403 404 502 5 1;
    http_method_override_allowed true;
    http_methods head post put get;
    http_strict_host_checking false;

    ip_block off;
}

# Allow only following characters in URI: %+,/a-zA-Z0-9&?:-.[]_=
# These are tested with the WordPress admin panel.
http_uri_brange 0x25 0x2b 0x2c 0x2f 0x41-0x5a 0x61-0x7a 0x30-0x39 0x26 0x3f 0x3a 0x2d 0x2e 0x5b 0x5d 0x5f 0x3d;

health_stat 3* 4* 5*;
health_stat_server 3* 4* 5*;

block_action attack drop;
block_action error reply;

# Make WordPress to work over TLS.
# See https://tempesta-tech.com/knowledge-base/WordPress-tips-and-tricks/
req_hdr_add X-Forwarded-Proto "https";

resp_hdr_set Strict-Transport-Security "max-age=31536000; includeSubDomains";

# Remove the proxy header to mitigate the httpoxy vulnerability
# See https://httpoxy.org/
req_hdr_set Proxy;

tls_certificate ${tempesta_workdir}/tempesta.crt;
tls_certificate_key ${tempesta_workdir}/tempesta.key;
tls_match_any_server_name;

srv_group main {server ${server_ip}:8000 conns_n=512;}

vhost tempesta-tech.com {proxy_pass main;}

http_chain {
	# Redirect old URLs from the old static website
	uri == "/index"		-> 301 = /;
	uri == "/development-services" -> 301 = /network-security-performance-analysis;

	# Disable PHP dynamic logic for caching
	# See https://www.varnish-software.com/developers/tutorials/configuring-varnish-wordpress/
	uri == "/wp-admin*" -> cache_disable;
	uri == "/wp-comments-post.php*" -> cache_disable;

	# RSS feed /comments/feed/ is cached as other resource for 1 hour,
	# defined by the global cache_ttl policy.

	# Proably outdated redirects
	uri == "/index.html"	-> 301 = /;
	uri == "/services"	-> 301 = /development-services;
	uri == "/services.html"	-> 301 = /development-services;
	uri == "/c++-services"	-> 301 = /development-services;
	uri == "/company.html"	-> 301 = /company;
	uri == "/blog/fast-programming-languages-c-c++-rust-assembly" -> 301 = /blog/fast-programming-languages-c-cpp-rust-assembly;

	-> tempesta-tech.com;
}

tests config in General section:

duration = 30
concurrent_connections = 80
stress_threads = 10
stress_requests_count = 50

Version or commit hash
Tempesta - 4f68ea5
kernel - 5.10.35.tfw-cf95567
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug http/1.1 security
Projects
None yet
Milestone
0.9 - LA
Development

No branches or pull requests
2 participants
@krizhanovsky @RomanBelozerov