Greetings Everyone (and apologies if this has been asked previously, I’ve searched the forums and come up empty),
We would like to setup IP rate limiting for our HLS based streams. As a single HLS stream viewer will nominally create multiple TCP connections per minute and we are looking for suggestions and/or your own solutions for preventing a DoS when individuals (who are allowed to view streams) attempt to open a large number of streams from a single source address. We offer many different (~12) simultaneous streams to our viewers and any number of them could be active at the same time(typically between 1 and 5), we would not want a legitimate viewer to be completely denied viewing access while at the same time, we would like to limit them from causing undue host load.
I welcome your suggestions, and implemented solutions to this problem and I hope to find a best-practice for this situation if one does exist.
Thank you,
Will Laws
Hello WIlliam,
As you are using the Wowza Streaming Engine software on a Linux platform I’d suggest applying rate limits at the TCP level using iptables. For example, the following rule would allow up to 3 concurrent connections on port 1935 (Wowza default streaming port, adjust accordingly) from a single IP address, after which they would be rejected
iptables -A INPUT -p tcp --syn --dport 1935-m connlimit --connlimit-above 3 -j REJECT --reject-with tcp-reset
Alternatively (or in combination) you can mitigate the effects of clients who continually attempt connections in rapid sequence by setting a rate limit (this also protects against general DOS or DDOS attacks),
iptables -A INPUT -p tcp --dport 1935 -i eth0 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 1935 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP
The above example will drop incoming connections for an IP address that makes more than 3 connection attempts to port 1935 within 60 seconds on interface eth0. You can view your iptables rules with “iptables -L” and remove (flush) your rules with “iptables -F” Using iptables in this way rejects any unwanted connections before they can reach the Wowza Streaming Engine software.
Regards,
Jason Hatchett
Hey, thanks a lot for your help.
I have many scripts that connect on 127.0.0.1 for image/video captures.
How can I set the rule with an exception ?
Tanks in advance