For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Greg_Wood_33904's avatar
Greg_Wood_33904
Icon for Nimbostratus rankNimbostratus
Mar 30, 2010

How to limit the SSL TPS per VIP

We would like to assign a quota for the amount of SSL TPS each site can use so that one site does not take down all the others once the TPS limit has been reached (Client SSL only).     Of ...
application delivery
dev
devops
iRules
Colin_Walker_12's avatar
Colin_Walker_12
Historic F5 Account
May 17, 2011
There's an iRule that's most of the way there posted out on DevCentral already in David Holmes' blog about SSL Renegotiation (http://devcentral.f5.com/weblogs/david/archive/2011/05/16/ssl-renegotiation-dos-irule-updates.aspx üòû 


    when RULE_INIT {
        set static::maxquery 5
        set static::mseconds 60000
    }
    when CLIENT_ACCEPTED {
        set ssl_hs_reqs 0
    }
    when CLIENTSSL_HANDSHAKE {
        incr ssl_hs_reqs
        after $static::mseconds { if {$ssl_hs_reqs > 0} {incr ssl_hs_reqs -1} }
        if { $ssl_hs_reqs > $static::maxquery } {
            after 5000
            log "Handshake attack detected, dropping [IP::client_addr]:[TCP::client_port]"
            drop
        }
    }

That could very easily be modified to fit your needs I think. It's already tracking how many handshakes there are in a given time period, you'd just need to modify the behavior and parameters a bit.

Colin