Forum Discussion

raydakis's avatar
raydakis
Icon for Altocumulus rankAltocumulus
Oct 27, 2023
Solved

HTTP Post Flood mitigation with LTM

Hello, Im using TMOS : 16.1.4 with LTM module only. I want to block IP addresses if HTTP POST requests on login page goes over some limit in specified period of time. for example if user send 10 "...
  • Niels_van_Sluis's avatar
    Oct 29, 2023

    Hi, here is your overly complicated iRule ğŸ˜‰

    when RULE_INIT {
        set static::maxReqs 10;
        set static::timeout 30;
    }
    
    when HTTP_REQUEST {
        if { [string tolower [HTTP::method]] equals "post" } { 
            
            # The following expects the IP addresses in multiple X-forwarded-for headers.  It picks the first one.
            if { [HTTP::header exists X-forwarded-for] } {
                set client_IP_addr [getfield [lindex  [HTTP::header values X-Forwarded-For]  0] "," 1]
            } else {
                set client_IP_addr [IP::client_addr]
            }
            
            set getcount [table lookup -notouch $client_IP_addr]
            if { $getcount equals "" } {
                table set $client_IP_addr "1" $static::timeout $static::timeout
                # record of this session does not exist, starting new record, request is allowed.
            } else {
                if { $getcount < $static::maxReqs } {
                    table incr -notouch $client_IP_addr
                    # record of this session exists but request is allowed
                } else {
                    HTTP::respond 403 content {
                        <html>
                        <head><title>HTTP Request denied</title></head>
                        <body>Your HTTP POST requests are being throttled.</body>
                        </html>
                    }
                }
            }
        }
    }

    Credits for this iRule goes to F5. It's a slightly modified version of the iRule that can be found here: https://irules-http.readthedocs.io/en/latest/class2/module1/lab2.html

    Have fun,

         --Niels