Forum Discussion
HTTP Post Flood mitigation with LTM
Hello,
Im using TMOS : 16.1.4 with LTM module only.
I want to block IP addresses if HTTP POST requests on login page goes over some limit in specified period of time.
for example if user send 10 "HTTP post" requests in 30s.
Is it possible to use irule or local traffic policies to mitigate these "HTTP Post" Flood attacks ?
Thanks,
Hi, here is your overly complicated iRule 😉
when RULE_INIT { set static::maxReqs 10; set static::timeout 30; } when HTTP_REQUEST { if { [string tolower [HTTP::method]] equals "post" } { # The following expects the IP addresses in multiple X-forwarded-for headers. It picks the first one. if { [HTTP::header exists X-forwarded-for] } { set client_IP_addr [getfield [lindex [HTTP::header values X-Forwarded-For] 0] "," 1] } else { set client_IP_addr [IP::client_addr] } set getcount [table lookup -notouch $client_IP_addr] if { $getcount equals "" } { table set $client_IP_addr "1" $static::timeout $static::timeout # record of this session does not exist, starting new record, request is allowed. } else { if { $getcount < $static::maxReqs } { table incr -notouch $client_IP_addr # record of this session exists but request is allowed } else { HTTP::respond 403 content { <html> <head><title>HTTP Request denied</title></head> <body>Your HTTP POST requests are being throttled.</body> </html> } } } } }
Credits for this iRule goes to F5. It's a slightly modified version of the iRule that can be found here: https://irules-http.readthedocs.io/en/latest/class2/module1/lab2.html
Have fun,
--Niels
raydakis I'm sure some sort of overly complicated iRule that would end up using more resources then it should can probably be created but ultimately this should be handled by a different device or possibly ASM instead. This article might assist you in your task.
Hi, here is your overly complicated iRule 😉
when RULE_INIT { set static::maxReqs 10; set static::timeout 30; } when HTTP_REQUEST { if { [string tolower [HTTP::method]] equals "post" } { # The following expects the IP addresses in multiple X-forwarded-for headers. It picks the first one. if { [HTTP::header exists X-forwarded-for] } { set client_IP_addr [getfield [lindex [HTTP::header values X-Forwarded-For] 0] "," 1] } else { set client_IP_addr [IP::client_addr] } set getcount [table lookup -notouch $client_IP_addr] if { $getcount equals "" } { table set $client_IP_addr "1" $static::timeout $static::timeout # record of this session does not exist, starting new record, request is allowed. } else { if { $getcount < $static::maxReqs } { table incr -notouch $client_IP_addr # record of this session exists but request is allowed } else { HTTP::respond 403 content { <html> <head><title>HTTP Request denied</title></head> <body>Your HTTP POST requests are being throttled.</body> </html> } } } } }
Credits for this iRule goes to F5. It's a slightly modified version of the iRule that can be found here: https://irules-http.readthedocs.io/en/latest/class2/module1/lab2.html
Have fun,
--Niels
- raydakisAltocumulus
Hello Niels,
i'll try this irule in my labs environnement this week.
Thanks 👍
raydakis
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com