raydakis
Oct 27, 2023Altocumulus
HTTP Post Flood mitigation with LTM
Hello,
Im using TMOS : 16.1.4 with LTM module only.
I want to block IP addresses if HTTP POST requests on login page goes over some limit in specified period of time.
for example if user send 10 "HTTP post" requests in 30s.
Is it possible to use irule or local traffic policies to mitigate these "HTTP Post" Flood attacks ?
Thanks,
Hi, here is your overly complicated iRule 😉
when RULE_INIT { set static::maxReqs 10; set static::timeout 30; } when HTTP_REQUEST { if { [string tolower [HTTP::method]] equals "post" } { # The following expects the IP addresses in multiple X-forwarded-for headers. It picks the first one. if { [HTTP::header exists X-forwarded-for] } { set client_IP_addr [getfield [lindex [HTTP::header values X-Forwarded-For] 0] "," 1] } else { set client_IP_addr [IP::client_addr] } set getcount [table lookup -notouch $client_IP_addr] if { $getcount equals "" } { table set $client_IP_addr "1" $static::timeout $static::timeout # record of this session does not exist, starting new record, request is allowed. } else { if { $getcount < $static::maxReqs } { table incr -notouch $client_IP_addr # record of this session exists but request is allowed } else { HTTP::respond 403 content { <html> <head><title>HTTP Request denied</title></head> <body>Your HTTP POST requests are being throttled.</body> </html> } } } } }
Credits for this iRule goes to F5. It's a slightly modified version of the iRule that can be found here: https://irules-http.readthedocs.io/en/latest/class2/module1/lab2.html
Have fun,
--Niels