Forum Discussion

raydakis's avatar
raydakis
Icon for Altocumulus rankAltocumulus
Oct 27, 2023
Solved

HTTP Post Flood mitigation with LTM

Hello,

Im using TMOS : 16.1.4 with LTM module only.

I want to block IP addresses if HTTP POST requests on login page goes over some limit in specified period of time.
for example if user send 10 "HTTP post" requests in 30s.

Is it possible to use irule or local traffic policies to mitigate these "HTTP Post" Flood attacks ?

Thanks,

  • Hi, here is your overly complicated iRule πŸ˜‰

    when RULE_INIT {
        set static::maxReqs 10;
        set static::timeout 30;
    }
    
    when HTTP_REQUEST {
        if { [string tolower [HTTP::method]] equals "post" } { 
            
            # The following expects the IP addresses in multiple X-forwarded-for headers.  It picks the first one.
            if { [HTTP::header exists X-forwarded-for] } {
                set client_IP_addr [getfield [lindex  [HTTP::header values X-Forwarded-For]  0] "," 1]
            } else {
                set client_IP_addr [IP::client_addr]
            }
            
            set getcount [table lookup -notouch $client_IP_addr]
            if { $getcount equals "" } {
                table set $client_IP_addr "1" $static::timeout $static::timeout
                # record of this session does not exist, starting new record, request is allowed.
            } else {
                if { $getcount < $static::maxReqs } {
                    table incr -notouch $client_IP_addr
                    # record of this session exists but request is allowed
                } else {
                    HTTP::respond 403 content {
                        <html>
                        <head><title>HTTP Request denied</title></head>
                        <body>Your HTTP POST requests are being throttled.</body>
                        </html>
                    }
                }
            }
        }
    }

    Credits for this iRule goes to F5. It's a slightly modified version of the iRule that can be found here: https://irules-http.readthedocs.io/en/latest/class2/module1/lab2.html

    Have fun,

         --Niels

3 Replies

  • Hi, here is your overly complicated iRule πŸ˜‰

    when RULE_INIT {
        set static::maxReqs 10;
        set static::timeout 30;
    }
    
    when HTTP_REQUEST {
        if { [string tolower [HTTP::method]] equals "post" } { 
            
            # The following expects the IP addresses in multiple X-forwarded-for headers.  It picks the first one.
            if { [HTTP::header exists X-forwarded-for] } {
                set client_IP_addr [getfield [lindex  [HTTP::header values X-Forwarded-For]  0] "," 1]
            } else {
                set client_IP_addr [IP::client_addr]
            }
            
            set getcount [table lookup -notouch $client_IP_addr]
            if { $getcount equals "" } {
                table set $client_IP_addr "1" $static::timeout $static::timeout
                # record of this session does not exist, starting new record, request is allowed.
            } else {
                if { $getcount < $static::maxReqs } {
                    table incr -notouch $client_IP_addr
                    # record of this session exists but request is allowed
                } else {
                    HTTP::respond 403 content {
                        <html>
                        <head><title>HTTP Request denied</title></head>
                        <body>Your HTTP POST requests are being throttled.</body>
                        </html>
                    }
                }
            }
        }
    }

    Credits for this iRule goes to F5. It's a slightly modified version of the iRule that can be found here: https://irules-http.readthedocs.io/en/latest/class2/module1/lab2.html

    Have fun,

         --Niels

    • raydakis's avatar
      raydakis
      Icon for Altocumulus rankAltocumulus

      Hello Niels,

      i'll try this irule in my labs environnement this week.

      Thanks πŸ‘

      raydakis