Bandwidth Management and Rate Shaping are two key techniques to prioritize traffic using Traffic Manager.
- Bandwidth Management is used to limit the bandwidth used by network traffic
- Rate Shaping is used to limit the rate of transactions
Bandwidth Management
Traffic Manager's Bandwidth Management is applied by assigning connections to a Bandwidth Class. A bandwidth class limits the bandwidth used by its connections in one of two ways:
- Per connection: You could use a bandwidth class to limit the bandwidth of each video download to, for example, 400Mbits, to limit the effect of download applications that would otherwise use all your available bandwidth
- Per class: All of the connections assigned to the class share the total bandwidth limit in a fair and equitable fashion. For example, you may wish to limit the amount of bandwidth that unauthenticated users use so that a proportion of your bandwidth is reserved for other traffic
The 'per class' bandwidth can be counted on a per-traffic-manager basis (simple) or can be shared across a traffic manager cluster (sophisticated). When it is shared, the traffic managers negotiate between themselves on a per-second basis (approx) to share out parts of the bandwidth allocation in proportion to the demand on each Traffic Manager.
Assigning Bandwidth Management to connections
A bandwidth management class may be assigned in one of two different ways:
- Per service: All of the connections processed by a virtual server will be assigned to a common bandwidth management class
- Per connection: A TrafficScript rule can assign a connection to a bandwidth class based on any critera, for example, whether the user is logged in, what type of content the user is requesting, or the geographic location of the user.
Examples of Bandwidth Management in action
Rate Shaping
Rate Shaping is most commonly used to control the rate of particular types of transactions. For example, you could use Rate Shaping to control the rate at which users attempt to log in to a web form, in order to mitigate against dictionary attacks, or you could use Rate Shaping to protect a vulnerable application that is prone to being overloaded.
Rates are defined using Rate Classes, which can specify rates on a per-second or per-minute basis:
Rate Shaping is implemented using a queue. A TrafficScript rule can invoke a rate class, and the execution of that rule is immediately queued.
- If the queue limits (per minute or per second) have not been exceeded, the rule is then immediately released from the queue and can continue executing
- If the queue limits have been exceeded, the rule execution is then paused until the queue limits are met
For example, to rate-limit requests for the /search.cgi resource using the limits defined in the 'DDoS Protect' rate class, you would use the following TrafficScript snippet:
$path = http.getPath(); if( $path == "/search.cgi" ) rate.use( "DDoS Protect" );
You can use the functions rate.getBacklog() and rate.use.noQueue() to query the length of the queue, or to test a connection against the current queue length without suspending it.
Rate limits are applied by each traffic manager. The limit is not shared across the cluster in the way that bandwidth limits can be.
Rate shaping with contexts
In some cases, you may need to apply a rate limit per-user or per-URL. You can use rate.use() with an additional 'context' argument; the rate limit is applied to each context individually. For example, to limit the number of requests to /search.cgi from each individual IP address, you would use:
$path = http.getPath(); $ip = request.getRemoteIP(); if( $path == "/search.cgi" ) rate.use( "DDoS Protect", $ip );
Examples of Rate Shaping in action
- Dynamic rate shaping slow applications
- Catching Spiders with Traffic Manager
- The "Contact Us" attack against mail servers
- Rate Limit only client Traffic from CDN/Proxy or Header Value
- Detecting and Managing Abusive Referers
Read more
