For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Greg_Wood_33904's avatar
Greg_Wood_33904
Icon for Nimbostratus rankNimbostratus
Mar 30, 2010

How to limit the SSL TPS per VIP

We would like to assign a quota for the amount of SSL TPS each site can use so that one site does not take down all the others once the TPS limit has been reached (Client SSL only).     Of ...
application delivery
dev
devops
iRules
Hamish's avatar
Hamish
Icon for Cirrocumulus rankCirrocumulus
May 17, 2011
Oh... The reason I suggest using that iRule as a base is the perennial problem of not just counting SSl TPS... but also making sure that existign users don't get locked out by a random attack... You want to have 2 lmits... One for ALL negotiations (Including unknown/new users). And one slightly higher reserved for existing sessions. So ensuring that a ruch of new clients won't blow out existing users half way.

 

 

Also you'll probably want a way to track the sessions and delete any you don't like/want... Like a manual blacklist. You could use classes, or in-memory tables. YMMV (Each has its advantages/disadvantages)

 

 

H