Limit connections per second from any host
-
I wish to limit the rate at which new connections are made to an open port, from any source address
The need arose when it appeared we were on the receiving end of a DOS, it actual fact it was an AWS endpoint checker running out of control.
The service behind the port could not handle this rate.Context
We have openVPN listening on port 443 TCP.
The reasoning is we commonly get shaped when using UDP . Sometimes it is hotels that do the shaping while other times it is ISPs shaping International bound UDP traffic. We have found that using TCP 443 reduces the likely hood of shaping occurring. Our requirement can at times use a high bandwidth similar to hi def video. so while yes UDP has a low overhead with OpenSSL VPN the ISPs along the way do not necessarily treat UDP the same as TCP especially when compared to TCP on port 443In addition in some regions we have this behind an AWS global Accelerator, we do this to reduce latency.
The AWS endpoint checker went off the rails. For a period of several hrs It checked 10 times a second rotating through 73 or so IP addresses.
This behavior confused Open SSL VPN causing it to restart
WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1768 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart... Note: OpenSSL hardware crypto engine functionality is not available