For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Shay_Ben-David1's avatar
Shay_Ben-David1
Icon for Nimbostratus rankNimbostratus
Oct 18, 2006

how to log source ip connections?

i have used the irule for limit connection from one source ip vip in the bigip, this irule also logs each source ip that opend more than X connections, that the irule set.   i would like to log the...
application delivery
dev
devops
iRules
Shane_Benting_5's avatar
Shane_Benting_5
Icon for Nimbostratus rankNimbostratus
Oct 19, 2006
I don't think there is a way to tell how many connections they are trying and block the excess connections, since the it will decrement the counter when the connection is rejected (i.e. CLIENT_CLOSED). However, the script below (modified from yours) will generate a warning if the connections exceed the threshold.

-Shane

when RULE_INIT {
array set ::active_clients { }
array set white_client {
x.x.x.x
y.y.y.y
}
}
when CLIENT_ACCEPTED {
set client_ip [IP::remote_addr]
if { [info exists ::active_clients($client_ip)] && ![info exist ::white_client($client_ip)] } {
if {$::active_clients($client_ip) > 50 } {
incr ::active_clients($client_ip)
reject
log "Alert! $::active_clients($client_ip) connections to mysite.com from $client_ip"
return
} else {
incr ::active_clients($client_ip)
}
} else {
set ::active_clients($client_ip) 1
}
}
when CLIENT_CLOSED {
set client_ip [IP::remote_addr]
if { [info exists ::active_clients($client_ip)] && ![info exist ::white_client($client_ip)] } {
incr ::active_clients($client_ip) -1
if { $::active_clients($client_ip) <= 0 } {
unset ::active_clients($client_ip)
}
}
}