Forum Discussion
Parveez_70209
Nimbostratus
NimbostratusHow to Create a DataClass in LTM V10 and Insert the same In Irule for Preventing Malacious AttacK
Hi,
We have the below Irule used to prevent a site from attack by limiting some of the features:
when RULE_INIT {
Set Static variables to be shared amongst all TMMs
These variables must not be c...
Kevin_Stewart
Employee
EmployeeUntested, but try this:
when RULE_INIT {
Set Static variables to be shared amongst all TMMs
These variables must not be changed by the iRule itself, only referenced
If the values need to be tweaked, they must be edited from the GUI
MaxRate is the threshold where requests will start to be blocked in transactions per second
WindowCalc is the length of the window in seconds used to calculate the transaction rate.
Making this value too small may result in legitimate traffic being blocked on initial page load if there are a large number of small objects
ShortBlockTime is the amount of time in seconds that an IP will be blocked unless it triggers the long block time
LongBlockTime is the amount of time in seconds that an IP will be blocked after triggering the long block time
LongBlockTrigger is the number of times an IP can trigger the short time block before having the long block time assigned
ie: If LongBlockTrigger is set to 3, the first three times an IP exceeds the MaxRate it will be blocked for ShortBlockTime.
the fourth time it exceeds the MaxRate it will be blocked for the LongBlockTrigger
GracePeriod is the amount of time in seconds after the last block that the block count is cleared. After this time, any IP that
was blocked for the LongBlockTime that exceeds the MaxRate will first be blocked for the ShortBlockTime
set static::IPWhitelist "my_ip_data_group"
set static::MaxRate 15
set static::WindowCalc 2
set static::ShortBlockTime 30
set static::LongBlockTime 30
set static::LongBlockTrigger 3
set static::GracePeriod 3600
}
when HTTP_REQUEST {
set ClientIP [IP::client_addr]
set currentTime [clock seconds]
set windowStart [expr {$currentTime - $static::WindowCalc}]
set reqCount 0
set RepeatOffender 0
Check to see if the IP is in the White list. If so, no reason to do the math and track requests
if { not ( [class match $ClientIP equals "$static::IPWhitelist" ] ) } {
Check to see if the IP is in the BlackList table, if so no need for math.
if { [table lookup -notouch -subtable "BlackList" $ClientIP] ne "" } {
HTTP::respond 501 content "Request blockedExceeded requests/sec limit."
} else {
Sum the number of requests made during the defined window to calculate
the rate and remove pointers that are older than the window start
foreach { requestTime } [table keys -subtable "REQ:${ClientIP}"] {
if { $requestTime > $windowStart } {
incr reqCount 1
} else {
table delete -subtable "REQ:${ClientIP}" $requestTime
}
}
if { $reqCount < $static::MaxRate } {
add new record to the session table for counting purposes
set keyvalue "$currentTime..[expr { int(10000000 * rand()) }]"
table set -subtable "REQ:${ClientIP}" $keyvalue "ignored" $static::ShortBlockTime $static::ShortBlockTime
} else {
Uncomment the line below if you want messages indicating when a client exceeds the request limit
log -noname local0. "Request denied, ${ClientIP} has exceeded the request limit"
HTTP::respond 501 content "Request blockedExceeded requests/sec limit."
Check to see if this is a frequent flyer and apply the LongBlockTime if so
Otherwise the ShortBlockTime
if { [table lookup -notouch -subtable "RepeatOffender" $ClientIP] > $static::LongBlockTrigger } {
table set -subtable "BlackList" $ClientIP "ignored" $static::LongBlockTime $static::LongBlockTime
} else {
table set -subtable "BlackList" $ClientIP "ignored" $static::ShortBlockTime $static::ShortBlockTime
table incr -subtable "RepeatOffender" $ClientIP
table timeout -subtable "RepeatOffender" $ClientIP $static::GracePeriod
return
}
}
}
} else {
return
}
}
Create an address-based data group and add IPs and/or IP subnets. Simply reference the name of that data group in the static::IPWhitelist variable assignment.
