F5 irule Table command rate limit or block HTTP requests in two different ways
I have seen two ways to use the table command to limit HTTP requests as one is to create a single table entry that has as key the client IP address and the value is increased each time the user connects to the VIP. A good example is https://clouddocs.f5.com/training/community/irules/html/class2/module1/lab2.html . This is blocking the source IP address for some time but if we want rate limit then the next example is better.
The other way is to create a subtable for each connecting client ip address and then count the number of keys in each subtable. This is more RAM memmory intensive but each entry has its own timeout and if the client connect 20 times and the limit is 21 after some time some of the entries will expire but not all and when the client again tries to connect maybe there will 15 entries, so if the client connects 6 times really fast the source IP address will be blocked. This seems to more like a rate limit way of blocking DDOS as the first method is more like completely blocking the the client ip address for some configured time (quarantine the source IP address). A nice example is https://community.f5.com/t5/technical-articles/advanced-irules-tables/ta-p/290369 .
From what I have seen we can only count all the keys in a subtable and not filter based on a repeating key, so you need to create a subtable for each client ip as you can't use a single subtable.