Skip to content

Added ssh connection rate limiting feature#1469

Open
dbathgate wants to merge 1 commit intocloudfoundry:masterfrom
dbathgate:connection-throttling
Open

Added ssh connection rate limiting feature#1469
dbathgate wants to merge 1 commit intocloudfoundry:masterfrom
dbathgate:connection-throttling

Conversation

@dbathgate
Copy link

@dbathgate dbathgate commented May 2, 2024
edited
Loading

Issue

  • The BBR tool opens and closes multiple ssh connections during a single run
  • Issues have been encountered with firewalls considering the multiple ssh connections as a brute force attack and kills the connections
  • This particular firewall is configured to limit the amount of connections to a distinct host per a duration window (example: 20 connections per minute)

Implementation

  • Added a rate limiting feature that will throttle opening of new connections if too many have been opened within a given time frame
  • The amount of connections and the duration window are both configurable, and the rate limiting feature itself can be toggled on

Example Usage:

bbr deployment \
--rate-limiting \
--rate-limiting-max-connections 10 \
--rate-limiting-duration 60s \
--deployment <deployment> backup

Impact

  • Without this feature, backups cannot be completed with the given firewall configuration in place

@cf-gitbot
Copy link

cf-gitbot commented May 2, 2024

We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story.

The labels on this github issue will be updated when the story is started.

@dbathgate dbathgate force-pushed the connection-throttling branch from c1061d7 to 0334d8b Compare May 2, 2024 20:16
@rkoster rkoster requested review from a team, dlresende, jpalermo and rkoster and removed request for a team and jpalermo May 6, 2024 09:23
rkoster
rkoster requested changes May 6, 2024
View reviewed changes
Copy link

@rkoster rkoster left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the idea of this PR, but would it be possible to use the go standard library for the limiter?
From briefly looking at the docs: https://pkg.go.dev/golang.org/x/time/rate
It seems like something like a combination of rate.Every and rate.NewLimiter should achieve the same result.

@dbathgate dbathgate force-pushed the connection-throttling branch from 0334d8b to 952633b Compare May 8, 2024 17:27
@cniles
Copy link

cniles commented May 9, 2024
edited
Loading

Hi @rkoster, I've been working with Darren on this.

An equivalent call with the current args looks like NewLimiter(maxConnections/duration, 1) which is naive to bursting.

Do you have a suggestion for how bursting could be accounted for on the command line args?

Some options are :

  • Just ignore bursting and keep b fixed to 1.
  • Expose the NewLimiter interface by having the user provide r and b arguments, e.g. --rate-limiter-rate and --rate-limiter-burst instead of one for max connections and duration.
  • Keep the current args and just add an additional --rate-limiter-burst arg that defaults to 1.

@dbathgate dbathgate force-pushed the connection-throttling branch 4 times, most recently from 66838c6 to c19e57c Compare June 19, 2024 19:16
@alexbarbato
Copy link

alexbarbato commented Jul 9, 2024

Y'all waiting on another review from @rkoster here @dbathgate?

Added ssh connection rate limiting feature
2c023f4 
- allows enabling ssh connection rate limiting
- adds configurable amount of max connections per duration window
- adds configurable duration window

Signed-off-by: Darren Bathgate <darren.bathgate@broadcom.com>
@dbathgate dbathgate force-pushed the connection-throttling branch from c19e57c to 2c023f4 Compare August 15, 2024 14:28
@dbathgate
Copy link
Author

dbathgate commented Aug 15, 2024

Y'all waiting on another review from @rkoster here @dbathgate?

We attempted to use the rate limiter library provided by Go, but it was not working as expected for our needs. The rate limiter was still tripping the firewall brute force rule, and was running slower than the original version. We reverted back to the version I have in this pull request, and have been running this successfully for over 3 months.

@aramprice
Copy link
Member

aramprice commented Oct 28, 2025

This has been open for > 1 year, should we go ahead and close this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rkoster rkoster rkoster requested changes

@dlresende dlresende Awaiting requested review from dlresende

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

unscheduled

Projects

Foundational Infrastructure Working Group
Status: Waiting for Changes | Open for Contribution

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@dbathgate @cf-gitbot @cniles @alexbarbato @aramprice @rkoster