For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Deepsri's avatar
Deepsri
Icon for Altocumulus rankAltocumulus
May 26, 2023

Connection Rate Limit Mode - Per Source Address

We are trying to use the Connection Rate Limit Mode - Per Source Address option for one of our higly used VIP's. What the best way to configure this setting. We have tried this option without much su...
application delivery
awan_m's avatar
awan_m
Icon for Cirrostratus rankCirrostratus
Aug 22, 2023

Hi Mohamed_Ahmed_Kansoh 

i am trying to implement Rate limit too - but i dont quiet understnd this part 
"Specifies an IP address mask, in bits, to be applied to the source address as part of the rate limiting. The default is 0, which is equivalent to using the entire address, 32 in IPv4, or 128 in IPv6."

as an example 

1 have 2 Virtual servers sharing the same ip but different ports - and these are non http apps
VS1 - 10.10.10.10 - port 4403 - rate limit 10 - Mode - Virtual server and source Address
VS2 - 10.10.10.10 - port 4404 - rate limit 10 - Mode - Virtual server and source Address

i have same client ips connecting to both 

if a clinet IP - 20.20.20.20 reaches limit for VS1 - how would that impact its connections on VS2. meaning 

if the clinets is on 11 connection on VS1 will that also block it on VS2 where it has 4 connections .

and in the above scenario - what valuse should i specify for - Connection Rate Limit Source Mask ?

thanks 

 

Mohamed_Ahmed_Kansoh's avatar
Mohamed_Ahmed_Kansoh
Icon for MVP rankMVP
Aug 22, 2023

Hi awan_m , 
For you query about both of Virtual server : 
Each virtual server has it's own settings and connection limits , so VS1 shouldn't impact VS2 even if it has same ip , this is could be done by L4 firewall for example. 

For suitable values of Connection Limits : 

it depends on your environment and clients traffic patterns , you should ask the server owner , how many connections do you expect to recieve on this VS per source ip. 

My Recommendation : 
use >>> Connection Limit not Connection rate limit >>> to be able to set optimal values. 
If you did this , enable your AVR module and monitor the Max Concurent connections ( For a week or month ) and take this value and set it to the VS Connection Limits ( Be careful , if this VS was under DoS attack within the monitoring period you have to reset your stats and re-monitor the traffic connections again ) this is not to put a very large limit that bigip sensed from the DoS ATTACK. 

The way to get your Connection stats : 
> Provision AVR First. 
> Add this Virtual server into analytics profile > wait 10 mis and start monitoring. 
> to moinitor your VS connections : 
Go to Statistics >> Analystics >> Virtual servers >> Traffic Details >> Connections. 
you will see all collected stats since you added this VS to AVR. 


If you need to know how to enable AVR and Analytics profile : 
use this web site https://clouddocs.f5.com/training/community/analytics/html/class1/class1.html
Concentrate on >>> Task1 & Task2. 

I hope you see my comment insightful ^^