How to throttle (or limit) the bitrate of a UDP connection using BRO?

Hello All,

I am using BRO for a part of my project. Following is what I intend to do:

  1. Monitor UDP connections.
  2. Compute their bitrates
  3. Throttle the bitrates of these UDP connections based on some calculations.

I was able to complete tasks 1 and 2. However I don’t know how I can accomplish task 3.

My current setup includes a Client (Node1) sending UDP data to a Server (Node3). The traffic has to pass through a Gateway (Node2) which is in between the Client and Server and is running BRO.

Node1 (Client) <------> Node2 (running BRO) < ------ > Node3 (Server)

If I have a UDP connection (between the Client and the Server) with a bit rate of 2Mb/s. How can I reduce its bitrate to a user set value - say: 1Mb/s, using BRO?

I am assuming one way may be to drop packets of a connection with a certain frequency such that the overall bitrate of that connection reduces? Is there a way we can accomplish this using BRO?

Or, is there any other way?

Kindly suggest.

Thank you,
Harkeerat Bedi

Node1 (Client) <------> Node2 (running BRO) < ------ > Node3 (Server)

Bro does not support inline operation.

    Vern

I suppose you could write a script that would install a firewall rule on the box to do the packet dropping (assuming whatever firewall you're using supports that). You can use the system() function in Bro to call your external script that would put the firewall rule in place. But generally Vern's point still applies that Bro doesn't ship with any consideration toward this deployment scenario.

  .Seth

OK. Thank you Seth and Vern for your feedback. I will follow the suggestions provided by Seth.

One of the reasons I thought about this was because I came across a function in BRO called “terminate_connection(c: connection)”. This function, as per the wiki: attempts to terminate a given connection using a rst utility. However, now I understand that BRO does not support inline operation as this rst utility is not a part of BRO.

Thanks again,
Harkeerat Bedi

Thank you Aaron for your suggestions :slight_smile: I will look into them.

Regards,
Harkeerat Bedi