-
Notifications
You must be signed in to change notification settings - Fork 189
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rate limiting for connections #119
base: master
Are you sure you want to change the base?
Rate limiting for connections #119
Conversation
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). For more information, open the CLA check for this pull request. |
13e1c19
to
2e2e15d
Compare
2e2e15d
to
3986229
Compare
@vysotskylev You wrote:
Thanks for the clarification. I would still like to understand more about what you are seeing that motivates this change. I just wrote a quick microbenchmark for the TCP and UDP download throughput. It shows 13+ Gbps for TCP and 900+ Mbps for UDP on my 5-year-old laptop, fast enough to saturate a 1 Gbps link. Do you think your server is CPU-limited? Or do you think users are saturating the network link, resulting in packet loss outside of your VM? Also, why do you think that UDP is particularly problematic? Have users reported worse behavior with UDP-based applications? If so, which protocols or applications are causing a problem? We definitely want to make sure that this server scales well to large numbers of users and access keys, but I want to make sure that we are solving the right problem first. |
Hello, @bemasc We provide free service to pass all censorship. Anyone can create key and use free internet without any restrictions. But some users use the service for destruction purposes like downloading torrents, using our proxy for attacks (like LOIC). We cannot block their traffic, so only one possible way is to limit their speed to make their job more complicated. With large number of keys prometheus is bottle-neck, but it is up to Outline Server, but not ShadowSocks. Without it SS works pretty fast and shows stable graphs for cpu/mem |
We are considering how to proceed here. We want to make sure that outline-ss-server provides any anti-abuse capabilities required by your service, but we may want to take a different approach than this PR. Before we ask for changes, we want to make sure that your effort won't be wasted. We will try to think about this problem more and get back to you in the next week or two. |
I've written a prototype that takes an alternative approach to this problem, using the kernel to enforce fair sharing of bandwidth between users. You can find the code in the bemasc-somark branch. To use it, run the server as a privileged user, and also issue the following commands as root:
(replacing This change groups all traffic for each client IP into a single "flow", designated by its socket mark, and instructs the kernel to share bandwidth fairly among these flows. Thus, one user with 100 open sockets, or badly behaved UDP traffic, cannot get more than 1/10th of the bandwidth if there are 10 active users, even if the others only have one socket each. Would this change help to address your concerns? Are you able to test it and see if it performs acceptably? |
hello, @bemasc |
The former: a user who is currently sending data through the proxy. ("Currently" meaning roughly "within the last 200 milliseconds".)
The latter: only active users. If there are 3-4k keys but only one active user, that user should have the full 1 Gbit.
The underlying principle is Fair Queueing, treating all traffic for a given client as a single "flow". |
Sounds good, that's really fair queueing. How can I test it? |
I don't have any advice about how to test it. Perhaps you can set up a server and direct some user traffic to it, or try a load test running on several VMs simultaneously. If you do find a way to test it, you can see some statistics by running this command:
|
I mean, if it has no package, then I should compile it, then replace binary inside outline-server, right (probably through updating Dockerfile)? |
I assumed that you are already running the code in this PR, and hence must have a system for using alternative branches of outline-ss-server. I suppose the easiest way to run a modified version inside Docker would be to replace the binary here and then rebuild the Docker image. |
No description provided.