Traffic rate limiting on linux

I've spent a day looking up how I could rate-limit my honeypot so someone malicious can't eat my bandwidth. It's hairy... I decided it was important, though, since the first thing all the 1337 |-|4x0r3z who try to log in to my site do is test the download rate. Here is a simple network up-down method that works for me on my debian stable (squeeze) honeypot:

/etc/network/if-up.d/tcratelimit

#!/bin/sh
if [ "$IFACE" != "lo" ]; then
  tc qdisc add dev $IFACE handle ffff: ingress
  tc filter add dev $IFACE parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate 2mbit burst 12kb mtu 1500 drop flowid :1
  tc qdisc add dev $IFACE root tbf rate 0.4mbit burst 3kb mtu 1500 latency 100ms
fi

This will limit incoming traffic (download) to 2mbit (~200K/s) and upload to 0.4mbit (~40K/s), the important thing is to check that everything correlates. If you want to augment the rate you'll have to augment the "burst" (which, as I understand it is the buffer). Be careful also to specify a correct mtu for your interface. I honestly don't undestand why this needs to be such a pain in the ass when all the variables can be inferred from the desired bitrate. So in my experience it's good to give at least 2kb of burst for each mbit, both up and download. (I'm on amd64 architecture → this seems to be important)

/etc/network/if-down.d/tcdown

#/bin/sh
if [ "$IFACE" != "lo" ]; then
  tc qdisc del dev $IFACE ingress
  tc qdisc del dev $IFACE root
fi

Of course don't forget to chmod +x those buggers!

Random Rambling Earth: where poisoning the population is profitable

Traffic rate limiting on linux