Forum Discussion

MVP

Mar 31, 2022

F5 irule Table command rate limit or block HTTP requests in two different ways

Hello, I have seen two ways to use the table command to limit HTTP requests as one is to create a single table entry that has as key the client IP address and the value is increased each time t...

application delivery

irule

Patrik_Jonsson

MVP

Apr 30, 2022

There's no question above to answer but I can share a suggestion.

In the past I've done this with global tables but prefixing the key with the virtual server name ("[virtual name][IP::client_addr]") and when someone was blocked we sent a JSON document to Splunk.

Reason being:

We did not really care about the state/content of the table until an action was taken.
By sending the blocked IPs to Splunk it made the troubleshooting easier.
Prefixing the table key with the VIP name prevented key overlapping in case one IP accessed multiple VIPs.

I'd also like to add that I'd never try DDOS protection on premise as I believe it's a lost cause. Better leave that to the big guys in the Cloud such as Silverline, Cloudflare or Akamai. Throttling individual clients to prevent abuse however is alright in my book. 🙂

Nikoolayy1

MVP

May 04, 2022

If we are talking about layer 3/4 DDOS I agree 100% that better to block this on a scrubbing center before your Data Center but for Layer 7 Web DDOS still many do this not only on the CDN provider but on-prem with a WAF system like F5 advanced WAF( ASM) as Layer 7 Web DDOS in most cases is not with many packets but targeting a specific part of the web application.

It is good to mention that sometimes the scrubbing center blocks BIG volumetric DDOS attacks and on many places I worked on after the scrubbing center then there is F5 AFM on-prem that uses machine learning for making a dynamic DDOS baseline threshold to catch the Layer 3/4 attacks that scrubbing center didn't or to protect till scrubbing center activates their DDOS protections. This can be combined with Silverline so the AFM to redirect the traffic to Silveline when there is DDOS and in this way you don't pay non-stop for a scrubbing center:

https://www.f5.com/pdf/products/ddos-hybrid-defender-for-the-data-center.pdf

Still the future seems to be the Volterra distributed cloud (maybe F5 in the future will merge Silverline and Volterra but we will have to see) and if you have not reviewed it I recommend doing so as you did not mention it as an option as there is a free simulator for it:

https://simulator.f5.com/

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

F5 irule Table command rate limit or block HTTP requests in two different ways

Jonathan - March 2026 Featured Member

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

2026 F5 DevCentral MVP Announcement

Recent Discussions

ASM allow specific url from outside country of geolocation ON

F5 DNS Logs in JSON Format

APM - Portal access - Issue

How to configure ssh access by key on F5OS

ASM/AWAF declarative policy

Related Content

WAF evasion techniques for Command Injection

HTTP Request Smuggling Using Chunk Extensions (CVE-2025-55315)

Overview of MITRE ATT&CK Tactic - TA0011 Command and Control

Power of tmsh commands using Ansible

Logging DNS Requests

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS