Forum Discussion
Shay_Ben-David1
Nimbostratus
Nimbostratushow to log source ip connections?
i have used the irule for limit connection from one source ip vip in the bigip, this irule also logs each source ip that opend more than X connections, that the irule set.
i would like to log the source ip that pass the X connections and will also includes how many connections this source opend.
when RULE_INIT {
array set ::active_clients { }
array set white_client {
x.x.x.x
y.y.y.y
}
}
when CLIENT_ACCEPTED {
set client_ip [IP::remote_addr]
if { [info exists ::active_clients($client_ip)] && ![info exist ::white_client($client_ip)] } {
if {$::active_clients($client_ip) > 50 } {
reject
log "Alert! Multiple connections to mysite.com$client_ip ($::active_clients($client_ip))"
return
} else {
incr ::active_clients($client_ip)
}
} else {
set ::active_clients($client_ip) 1
}
}
when CLIENT_CLOSED {
set client_ip [IP::remote_addr]
if { [info exists ::active_clients($client_ip)] && ![info exist ::white_client($client_ip)] } {
incr ::active_clients($client_ip) -1
if { $::active_clients($client_ip) <= 0 } {
unset ::active_clients($client_ip)
}
}
}
Shay_Ben-David1Hi, actually i am asking for help, what happen now with this irule, is that it logs the source ip and the connections, but it logs only the " >50" meaning that it show on the log only the 51 connections, what i would like is that it will log the amount of real connections that this source try to open. let say if a source ip is trying to open 2000 simultaneous connections, i want it to be in the log and show how many connection this source is trying to open.
hope this clear my question
thanks
Shane_Benting_5I don't think there is a way to tell how many connections they are trying and block the excess connections, since the it will decrement the counter when the connection is rejected (i.e. CLIENT_CLOSED). However, the script below (modified from yours) will generate a warning if the connections exceed the threshold.
-Shanewhen RULE_INIT { array set ::active_clients { } array set white_client { x.x.x.x y.y.y.y } } when CLIENT_ACCEPTED { set client_ip [IP::remote_addr] if { [info exists ::active_clients($client_ip)] && ![info exist ::white_client($client_ip)] } { if {$::active_clients($client_ip) > 50 } { incr ::active_clients($client_ip) reject log "Alert! $::active_clients($client_ip) connections to mysite.com from $client_ip" return } else { incr ::active_clients($client_ip) } } else { set ::active_clients($client_ip) 1 } } when CLIENT_CLOSED { set client_ip [IP::remote_addr] if { [info exists ::active_clients($client_ip)] && ![info exist ::white_client($client_ip)] } { incr ::active_clients($client_ip) -1 if { $::active_clients($client_ip) <= 0 } { unset ::active_clients($client_ip) } } }- Shay_Ben-David1Thanks you very much, it works fine.
another thing i want to ask, my web sites are getting lots of DOS attack, this is why i am using this irule, and it really helps, the thing is, that my nodes are also open to the internet (application requirements) so we are also getting DOS to specific nodes, i try to use this irule with the routing vip (forwarding type VIP) to try and reject node attack, but this turn to be useless, my question is regarding this issue, if i can use some kind of irule to block DOS from going to my nodes, and not only to the VIP ?
Thanks - Seems that your iRule would work applied to a forwarding virtual server -- what happens?
- Shay_Ben-David1i try using it on the forwarding vip, and all nodes went down, couldn't investigate it because its a production system, do u have any idea why ?
thanks - No clue. That's pretty odd.
I'm not sure why any node's status would be affected by this iRule, and in this case that is especially noteworthy as no nodes are associated with a forwarding VS.
I'd say a support case is in order to look into that further...
/deb
