Forum Discussion

Erick_Hammersm1's avatar
Erick_Hammersm1
Historic F5 Account
Nov 15, 2006

cookie rate limiting

I wrote this rule to measure the rate at which each value of a particular cookie is being submitted, and to block requests containing too-frequently-submitted cookies. I may also adapt this logic to limit frequently reconnecting clients, either by applying a rate class or by selectively discarding or rejecting them. This rule behaves as I intend, but I'm wondering if I could be doing any of this more efficiently?


when RULE_INIT {
 initialize the cookie name and rate threshold
set ::threshold 10
set ::cookie_name "enh"
}
when HTTP_REQUEST {
if { [HTTP::cookie exists $::cookie_name] } {
 extract the cookie value and record the current time
set cookie_value [HTTP::cookie value $::cookie_name]
set current_time [clock clicks -milliseconds]
if { [session lookup uie $cookie_value] eq "" } {
 if no session exists for this cookie value, create one
session add uie $cookie_value "$current_time 1" 5
return
} else {
 we've seen this cookie before, so extract the time and the number of occurances from the session table value
set stv [split [session lookup uie $cookie_value] " "]
set stv_time [lindex $stv 0]
set stv_number [lindex $stv 1]
 check this cookie against the blacklist.  if the number of occurances of this
 cookie is recorded as "-1", refresh the blacklist entry and drop this connection
if { $stv_number eq -1 } {
session add uie $cookie_value "$current_time -1" 180
reject
return
}
 if the current time is less than one second from the time stored in the session table,
 increment the number of occurances of the cookie and check it against the threshold.
if { [expr $current_time - $stv_time] < 1000 } {
incr stv_number
if { $stv_number > $::threshold } {
log local0. "Dropping connection from [IP::client_addr] and blacklisting cookie value $cookie_value after $stv_number submissions in the last 1 second"
session add uie $cookie_value "$current_time -1" 180
reject
} else {
session add uie $cookie_value "$stv_time $stv_number" 5
}
} else {
 since the current time is more than 1 second from the time stored in the session table,
 start over with the current time and a single occurance of the cookie.
session add uie $cookie_value "$current_time 1" 5
}
}
}
}
application delivery
dev
devops
iRules
No RepliesBe the first to reply