Forum Discussion

Jon_Strabala_46's avatar
Jon_Strabala_46
Icon for Nimbostratus rankNimbostratus
May 14, 2010

Want throttle or add small delay/pause to slow down SMTP connections

Hi,

 

 

My basic question is once I know I want to temporarily "block" "delay" or "pause" a connection to "slow" down a TCP (actually SMTP) connection a fixed period of time say between 100ms to 2000ms - how do I do it in an iRULE ?

 

 

Why I want to do this

 

 

I wish to implement via iRULEs a "teergube" (definition below), which would do one of the following a), b), or c) in all cases I do not know to correct why to "pause", "delay" or "block" the data transfer.

 

 

I would want to do either a), b) or c). I definitely prefer c) but every approach requires that I understand how solve the question above.

 

 

a) on each SMTP connection apply a finite delay when accepting the connection

 

such as 500ms (1/2 a sec).

 

 

b) on each packet (or every N bytes in a SMTP connection) apply a finite delay

 

better yet after 50K bytes start applying the finite delay.

 

 

c) inspect the SMTP data and for connection inspect the payload such that

 

each time match the following HELO or EHELO (pipelining) I could be smart

 

about injected delays and prevent 'spammers' from hogging bandwidth. As an

 

example.

 

 

1. if { [string match -nocase "MAIL FROM:*" [TCP::payload]] } {

 

block or pause the connection a fixed finite delay like 200ms

 

on occurrence 2-N this lets the first message go fast.

 

 

2. if { [string match -nocase "RCPT TO:*" [TCP::payload]] } {

 

block or pause the connection a fixed finite delay like 100ms

 

on occurrence 4-N this lets the first message go fast to a

 

limited number of users.

 

 

Thanks in Advance

 

 

Other

 

 

Information about what a "teergube" is - basically it seems like a way to "slow" done spammers and tie up their resources while eliminating spam:

 

 

http://www.iks-jena.de/mitarb/lutz/usenet/teergrube.en.html

 

http://serverfault.com/questions/60141/is-there-any-point-to-teergrubing-anymore

 

 

 

config
design
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    May 18, 2010
    Hi Jon,

     

     

    As TMM is single threaded, if you could add delay to connections, it would affect all connections that the TMM instance is handling. So there isn't a practical way to accomplish exactly what you've described. I wonder if you could use rate classes to do this to some extent though:

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/rateclass

     

     

    Aaron
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    May 18, 2010
    What SMTP server do you use? postfix (www.postfix.org) will handle this for you... But because it knows about your users etc, it only slows down connections for things that are more likely to be spammers rather than slowing down legitimate traffic...

     

     

    (Slowing down ALL connections will just annoy people). However if you snoop the result codes from a generic SMTP server, you could (As hoolio suggests) use rate shaping to drop the bandwidth to some painfully low level (And send a nice long status message telling the admin what you're doing, and how to contact you if it's a mistake).

     

     

    H
  • Jon_Strabala_46's avatar
    Jon_Strabala_46
    Icon for Nimbostratus rankNimbostratus
    May 18, 2010
    Aaron,

     

     

    > As TMM is single threaded, if you could add delay to connections, it would affect all connections

     

    > that the TMM instance is handling. So there isn't a practical way to accomplish exactly what you've

     

    > described.

     

     

    What about pausing while processing a connections data in a later iRULE clause CLIENT_DATA e.g. after a TCP:collect or is this also single threaded - just curious.

     

     

    I know I could just redirect the connection into a "tar pit" e.g. a 'C' based SMTP proxy that limits the bandwidth (and also records / logs information about the spammer) but thought that maybe the F5 could do it all.

     

     

    > I wonder if you could use rate classes to do this to some extent though:

     

    >

     

    >

     

     

    I was just hoping that there was something like "yeild( millisecs)", so I will look into the applying a rate class and only to 'spamming connections'

     

     

    Hamish

     

     

    I do indeed understand that postfix and sendmail have extensive options that can be used to do what I am attempting e.g. down spammers. I also understand that I do not what to apply the slowdown to everyone.

     

     

    Please also understand that the F5 is used "backwards" for an Mobile ISP thus it fronts hundreds of different unknown types of mail servers (and of course none of them are under the ISP's control).

     

     

    My iRULE right now analyzes the connection frequency and pattern and pretty much knows which connection is a spammer - right now I drop all SMTP spam connect - but what I wanted to play with was slowing them down to a trickle. According to Aaron (see first part of this reply) it seems like I have to use a rate class.

     

     

    Thanks for your responses.

     

     

    Jon Strabala

     

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    May 18, 2010
    Ah... You're running in reverse... OK... No problems...

     

     

    Actually, I'm not sure you couldn't use the 'after' command to accomplish what you want...

     

     

    e.g.

     

     

    
if () {
  after 500 {
    
    return
  }
}

return

     

     

    So if we have a spammer, we execute the after command with a 500ms delay and then send a respons. But if we don't have a spammer we send the response immediately...

     

     

    Sorry... Pseudo code only today...

     

     

    H