[openstack-dev] [Neutron] [QOS] Request for Additional QoS capabilities

John Joyce (joycej) joycej at cisco.com
Wed Jun 17 15:58:45 UTC 2015

Hello everyone:
      I would like to test the waters on some new functionality we think is needed to protect OpenStack deployments from some overload situations due to an excessive user or DDOS scenario.   We wrote this up in the style of an RFE.   Please let us know your thoughts and we can proceed with a formal RFE with more detail if there are no concerns raised.

*What is being requested*
This request is to extend the QOS APIs to include the ability to provide connection rate limiting
*Why is it being requested*
There are many scenarios where a VM may be intentionally malicious or become harmful to the network due to its rate of initializing TCP connections.   The reverse direction of a VM being attacked with an excessive amount of TCP connection requests either intentionally or due to overload is also problematic.
*Implementation Choices
   There might be a number of ways to implement this,  but one of the easiest would appear to be to extend the APIs being developed under:  https://review.openstack.org/#/c/187513/. An additional rule type "connections per-second" could be added.
The dataplane implementation itself may be realized with netfilter and conntrack.
It would be possible to extend the security groups in a similar fashion,  but due to the addition of rate limiting, QoS seems a more nature fit.
*Who needs it*
Cloud operators have experienced this issue in real deployments in a number of cases.


John Joyce
joycej at cisco.com
Phone: +1 978 936 0227

Cisco Systems Limited
1414 Massachusetts Ave.

[Think before you print.]Think before you print.

This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.
For corporate legal information go to:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150617/e8a59ac3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 5673 bytes
Desc: image001.jpg
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150617/e8a59ac3/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.gif
Type: image/gif
Size: 134 bytes
Desc: image002.gif
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150617/e8a59ac3/attachment.gif>

More information about the OpenStack-dev mailing list