Forum Discussion
NimbostratusHow to Create a DataClass in LTM V10 and Insert the same In Irule for Preventing Malacious AttacK
Hi,
We have the below Irule used to prevent a site from attack by limiting some of the features:
when RULE_INIT {
Set Static variables to be shared amongst all TMMs These variables must not be changed by the iRule itself, only referenced If the values need to be tweaked, they must be edited from the GUI MaxRate is the threshold where requests will start to be blocked in transactions per second WindowCalc is the length of the window in seconds used to calculate the transaction rate. Making this value too small may result in legitimate traffic being blocked on initial page load if there are a large number of small objects ShortBlockTime is the amount of time in seconds that an IP will be blocked unless it triggers the long block time LongBlockTime is the amount of time in seconds that an IP will be blocked after triggering the long block time LongBlockTrigger is the number of times an IP can trigger the short time block before having the long block time assigned ie: If LongBlockTrigger is set to 3, the first three times an IP exceeds the MaxRate it will be blocked for ShortBlockTime. the fourth time it exceeds the MaxRate it will be blocked for the LongBlockTrigger GracePeriod is the amount of time in seconds after the last block that the block count is cleared. After this time, any IP that was blocked for the LongBlockTime that exceeds the MaxRate will first be blocked for the ShortBlockTimeset static::IPWhitelist "classname"
set static::MaxRate 15
set static::WindowCalc 2
set static::ShortBlockTime 30
set static::LongBlockTime 30
set static::LongBlockTrigger 3
set static::GracePeriod 3600
}
when HTTP_REQUEST {
set ClientIP IP::client_addr
set currentTime [clock seconds]
set windowStart [expr {$currentTime - $static::WindowCalc}]
set reqCount 0
set RepeatOffender 0
Check to see if the IP is in the White list. If so, no reason to do the math and track requests
if { ![class match [IP::client_addr] equals "$static::IPWhitelist" ] } {
Check to see if the IP is in the BlackList table, if so no need for math.
if { [table lookup -notouch -subtable "BlackList" $ClientIP] ne "" } {
HTTP::respond 501 content "Request blockedExceeded requests/sec limit."
} else {
Sum the number of requests made during the defined window to calculate
the rate and remove pointers that are older than the window start
foreach { requestTime } [table keys -subtable "REQ:${ClientIP}"] {
if { $requestTime > $windowStart } {
incr reqCount 1
} else {
table delete -subtable "REQ:${ClientIP}" $requestTime
}
}
if { $reqCount < $static::MaxRate } {
add new record to the session table for counting purposes
set keyvalue "$currentTime..[expr { int(10000000 * rand()) }]"
table set -subtable "REQ:${ClientIP}" $keyvalue "ignored" $static::ShortBlockTime $static::ShortBlockTime
} else {
Uncomment the line below if you want messages indicating when a client exceeds the request limit
log -noname local0. "Request denied, ${ClientIP} has exceeded the request limit"
HTTP::respond 501 content "Request blockedExceeded requests/sec limit."
Check to see if this is a frequent flyer and apply the LongBlockTime if so
Otherwise the ShortBlockTime
if { [table lookup -notouch -subtable "RepeatOffender" $ClientIP] > $static::LongBlockTrigger } {
table set -subtable "BlackList" $ClientIP "ignored" $static::LongBlockTime $static::LongBlockTime
} else {
table set -subtable "BlackList" $ClientIP "ignored" $static::ShortBlockTime $static::ShortBlockTime
table incr -subtable "RepeatOffender" $ClientIP
table timeout -subtable "RepeatOffender" $ClientIP $static::GracePeriod
return
}
}
}
} else {
return
}
}
=============
This iRule will rate limit based on source IP address. A dataclass must be created, and the name assigned to the IPWhitelist variable in the RULE_INIT event.Query:
- Please assist in how to create the DataClass and associate the parameters into the Irule and how my Irule will Look like after the change. Please assist.
Thanks and Regards Parveez
7 Replies
- Kevin_Stewart
Employee
Untested, but try this:
when RULE_INIT { Set Static variables to be shared amongst all TMMs These variables must not be changed by the iRule itself, only referenced If the values need to be tweaked, they must be edited from the GUI MaxRate is the threshold where requests will start to be blocked in transactions per second WindowCalc is the length of the window in seconds used to calculate the transaction rate. Making this value too small may result in legitimate traffic being blocked on initial page load if there are a large number of small objects ShortBlockTime is the amount of time in seconds that an IP will be blocked unless it triggers the long block time LongBlockTime is the amount of time in seconds that an IP will be blocked after triggering the long block time LongBlockTrigger is the number of times an IP can trigger the short time block before having the long block time assigned ie: If LongBlockTrigger is set to 3, the first three times an IP exceeds the MaxRate it will be blocked for ShortBlockTime. the fourth time it exceeds the MaxRate it will be blocked for the LongBlockTrigger GracePeriod is the amount of time in seconds after the last block that the block count is cleared. After this time, any IP that was blocked for the LongBlockTime that exceeds the MaxRate will first be blocked for the ShortBlockTime set static::IPWhitelist "my_ip_data_group" set static::MaxRate 15 set static::WindowCalc 2 set static::ShortBlockTime 30 set static::LongBlockTime 30 set static::LongBlockTrigger 3 set static::GracePeriod 3600 } when HTTP_REQUEST { set ClientIP [IP::client_addr] set currentTime [clock seconds] set windowStart [expr {$currentTime - $static::WindowCalc}] set reqCount 0 set RepeatOffender 0 Check to see if the IP is in the White list. If so, no reason to do the math and track requests if { not ( [class match $ClientIP equals "$static::IPWhitelist" ] ) } { Check to see if the IP is in the BlackList table, if so no need for math. if { [table lookup -notouch -subtable "BlackList" $ClientIP] ne "" } { HTTP::respond 501 content "Request blockedExceeded requests/sec limit." } else { Sum the number of requests made during the defined window to calculate the rate and remove pointers that are older than the window start foreach { requestTime } [table keys -subtable "REQ:${ClientIP}"] { if { $requestTime > $windowStart } { incr reqCount 1 } else { table delete -subtable "REQ:${ClientIP}" $requestTime } } if { $reqCount < $static::MaxRate } { add new record to the session table for counting purposes set keyvalue "$currentTime..[expr { int(10000000 * rand()) }]" table set -subtable "REQ:${ClientIP}" $keyvalue "ignored" $static::ShortBlockTime $static::ShortBlockTime } else { Uncomment the line below if you want messages indicating when a client exceeds the request limit log -noname local0. "Request denied, ${ClientIP} has exceeded the request limit" HTTP::respond 501 content "Request blockedExceeded requests/sec limit." Check to see if this is a frequent flyer and apply the LongBlockTime if so Otherwise the ShortBlockTime if { [table lookup -notouch -subtable "RepeatOffender" $ClientIP] > $static::LongBlockTrigger } { table set -subtable "BlackList" $ClientIP "ignored" $static::LongBlockTime $static::LongBlockTime } else { table set -subtable "BlackList" $ClientIP "ignored" $static::ShortBlockTime $static::ShortBlockTime table incr -subtable "RepeatOffender" $ClientIP table timeout -subtable "RepeatOffender" $ClientIP $static::GracePeriod return } } } } else { return } }Create an address-based data group and add IPs and/or IP subnets. Simply reference the name of that data group in the static::IPWhitelist variable assignment.
Parveez_70209Hi Kevin,
This site will be exposed to Internet and it will be accessed via everywhere, so we want the IP's to be matched with the below parameters:
set static::IPWhitelist "classname" set static::MaxRate 15 set static::WindowCalc 2 set static::ShortBlockTime 30 set static::LongBlockTime 30 set static::LongBlockTrigger 3 set static::GracePeriod 3600
So, I created Address Data-Group Named as my_ip_data_group where I specified or added the below: Kindly assist in cross-checking whether it will work:
Selected Network:
Address: 0.0.0.0 Mask : 255.255.255.255 Value: None
IS the above correct Sir ?
So, in the whole Irule only my_ip_data_group part need to be added right ? Kindly assist Sir.
Thanks and Regards Parveez
- Kevin_Stewart
If you're trying to match all IP addresses, then it should probably be
Address: 0.0.0.0 Mask: 0.0.0.0 - Parveez_70209
Hi Kevin,
Got you.
Just ckearing my doubt the below queries:
-
So the mentioned Irule have one IPWhitelist, so if we add some IP's into that, so that will not check any of the set parameters defined ?
-
And in which list it will compare to drop it down when comparing with the set variables defined?
3.And where to obtain the logging data/filter it to check ?
Thanks and Regards Parveez
-
- Parveez_70209
And also Sir, need to know any test setup by some Application team in testing environment.
Thanks and Regards Parveez
- Kevin_Stewart
So the mentioned Irule have one IPWhitelist, so if we add some IP's into that, so that will not check any of the set parameters defined ?
If the IP is in the white list, none of the remaining conditions will be evaluated.
And in which list it will compare to drop it down when comparing with the set variables defined?
Not sure I understand this question.
And where to obtain the logging data/filter it to check ?
You just need to drop some log statements into your code for each condition.
need to know any test setup by some Application team in testing environment.
Not sure I understand this question either.
- Parveez_70209
Hi Kevin,
Thank you so much, it really helped.
Thanks and Regards Parveez
