Forum Discussion
Alexander_Kwong
Nimbostratus
Nimbostratushow to limit a client IP from continuously opening connections to the server
Hi guys, I'm a noob to iRules and was wondering if there was a way we could write up an iRule to limit the amount of connections a user can open over a course of a period of time. We got hammered by...
Here is a better version of this irule.
when RULE_INIT {
This is the max requests allowed during "interval" specified below.
set static::maxRate 10;
Below is the lifetime of the subtable record in seconds.
This defines the interval during which requests are tallied. Example: Rate=10 and Timeout=3, allows 10 requests in 3 seconds
Note: do not use very high timeout because it increases memory utilization especially under high load.
Note: A rate of 100 in 50 seconds is the same is a rate of 20 in 1 second. But 1 second is a lot easier on memory,
Because the records expire more quickly and the table does become too large.
set static::timeout 3;
}
when HTTP_REQUEST {
set getCount [table lookup -notouch -subtable requests [IP::client_addr]]
if { $getCount equals "" } {
log local0. "New one: getCount=$getCount [IP::client_addr] [clock seconds]"
table set -subtable requests [IP::client_addr] "1" $static::timeout $static::timeout
} else {
if { $getCount < $static::maxRate } {
table incr -notouch -subtable requests [IP::client_addr]
} else {
if {$getCount == $static::maxRate } {
log local0. "User @ [IP::client_addr] [clock seconds] has reached $getCount in $static::timeout seconds."
table incr -notouch -subtable requests [IP::client_addr]
}
HTTP::respond 501 content "Request blocked Exceeded requests/sec limit."
drop
return
}
}
}
Alexander_KwongNimbostratus
NimbostratusThanks John. I'll test this iRule out and see how it works for us.
