Linux 使用wondershaper限制帶寬速度

前情提要

為什麼要限制帶寬哩? 原因是之前管理的某服務器被黑了; 被拿去做肉雞參與了在世界上某地的一場DDOS戰役.. 見下圖

流量被吃, CPU可能還被拿去挖礦, 這都已經夠慘了; 供應商直接把你斷網, 然後給你一個告知 原文如下

Hi there,

We've detected an outgoing Denial of Service attack (http://do.co/21Y1Gc1) originating from your Droplet. Due to the traffic’s harmful nature, your Droplet was taken offline; this means it is not connected to the internet and all hosted sites and services are unreachable. We know that this action is disruptive, but it’s necessary to protect you, our network, and the target of your Droplet’s attack.

You can access your droplet using this console link: https://cloud.digitalocean.com/droplets/119932431/console

Because this means your Droplet has been compromised, you’ll need to back up your data and transfer it to a new Droplet. We have a recovery tool to assist you, but any databases on your Droplet will need to be backed up before we boot your Droplet into the recovery tool because you won’t be able to make the backups afterwards.

Specific backup steps vary depending on the database software in use, which is most commonly MySQL. If you’re not sure how, http://do.co/1h0uWgm will show you how to back up your databases from MySQL.

Once you have finished backing up your data, the next step is downloading and transferring your data to your new Droplet. Please update this ticket when you’re ready and we’ll configure this Droplet so you can proceed.

If you’ve enabled our backup service or have a snapshot of the Droplet, you can restore directly from that image instead of going through the recovery process. Be aware that this will destroy any changes or additions made to the Droplet since the creation date of the image you use to restore from. If you do this, please update the ticket as we will need to reconfigure networking to get your Droplet back online.

If you don’t need the data from this Droplet, you can destroy this Droplet at your convenience. If you’d like to keep the current IP address, you will need to use our rebuild function. This acts like a clean install of your OS and is currently the only way to ensure you retain your IP. As with restoring from an image, please let us know once you’ve done this.

If you have any further questions, or if we can further assist, please let us know.

Regards,

Trust & Safety
DigitalOcean Support


內容大致如下

我們發現尼的vps有大量惡意流量唷, 為了保護尼, 我們將它斷網了. 不過尼還是可以透過 web console 登入唷 ! 即使進去後你還是沒有網路德, 備份好之後請跟我們說唷, 我們會協助尼將資料轉移到新的機器, 至於現在這台就這樣讓他去吧~ 886


哇擦... 發現惡意流量你可以限速就行了吧? 搞成這樣至於嗎?
嘛... 算了 當作沒有事先了解遊戲規則吧...


正文

所以說.. 我們就乖乖的自己限速一下吧...

先看一下官方, 這套件其實就是 tc 的前端, 方便使用者調用 tc ; 而 tc, 就是 linux 內核用來控制流量的機制.
關於 tc 網路上介紹的文章已經很多了, 那部分還真的有點艱深... 小弟理解不足, 就不在這邊介紹了, 請各位大大自行移駕.

再說用法之前, 還需要再補充一點. tc 本身對於上傳可以比較準確地控制, 下載則無法. 原因是對於出口流量, 較容易控制要出去多少, 而近來的流量, 必須要靠中介網卡ifb才可以; 但這部分超出文章範圍哩, 有興趣的自行去理解吧!



下載

cd /tmp/
git clone  https://github.com/magnific0/wondershaper.git
cp wondershaper/wondershaper /usr/bin/
wondershaper -h
USAGE: /usr/bin/wondershaper [-hcs] [-a <adapter>] [-d <rate>] [-u <rate>]

Limit the bandwidth of an adapter

OPTIONS:
   -h           Show this message
   -a <adapter> Set the adpter
   -d <rate>    Set maximum download rate (in Kbps) and/or
   -u <rate>    Set maximum upload rate (in Kbps)
   -p           Use presets in /etc/conf.d/wondershaper.conf
   -c           Clear the limits from adapter
   -s           Show the current status of adapter
   -v           Show the current version

MODES:
   wondershaper -a <adapter> -d <rate> -u <rate>
   wondershaper -c -a <adapter>
   wondershaper -s -a <adapter>

EXAMPLES:
   wondershaper -a eth0 -d 1024 -u 512
   wondershaper -a eth0 -u 512
   wondershaper -c -a eth0


使用

首先看一下未限速的上傳: 100Mbits


然後使用該工具查看網卡的預設配置: wondershaper -s -a ens160


接下來, 幫他上限速. 這邊就只限制上傳速度: wondershaper -a ens160 -u 20480; 這樣子是鎖在20Mbits


最後看一下成果吧: 16Mbits


如果不要限制了的話: wondershaper -c -a ens160


結論

希望大家的雲主機都能安安穩穩~~~